PCI DSS v4.0: What’s New and What You Need to Know

The Payment Card Industry Security Standards Council (PCI SSC) released version 4.0 of its Data Security Standard (PCI DSS v4.0) in late March. Long recognized as the gold standard for retailers and financial institutions when it comes to protecting sensitive card holder data, PCI DSS v4.0 shifts the standard’s focus to outcome-based requirements.

PCI requirements aren’t legally mandated but are nonetheless required for merchants, service providers and other businesses that store, process or transmit card holder data. Those organizations that fail to meet PCI requirements face financial penalties, revoked services or even suspended accounts from card brands. In the event that data is compromised, organizations can be held responsible and face the expensive array of fines, increased transaction fees, future prevention services — and even the cost to reissue cards. 

PCI compliance can prevent those consequences, and the requirements are always detailed from the PCI SSC. Complying with the standards is one step. Merchants and service providers must also validate they remain compliant annually by either undergoing an audit or self-attesting — which one is based on their number of annual card transactions.

The previous version of the standard, v3.2.1, was published in 2018. Much has changed since then. Fueled in part by the pandemic, ecommerce transactions and the use of point-of-sale (PoS) machines has exploded. Technology has continued to evolve and cloud platforms are now used extensively to store card holder data. Meanwhile, cyber criminals have kept pace, with changes in tactics and new methods designed to target the payments industry. 

PCI DSS v4.0 was reworked with those factors in mind. As stated by PCI SSC, the four high-level goals for the new standards are:

• Ensure the standard continues to meet the security needs of the payments industry
• Add flexibility and support of additional methodologies to achieve security
• Promote security as a continuous process
• Enhance validation methods and procedures

With all that in mind, let’s delve into what’s changed with PCI DSS v4.0.

Investigate your risk with Inversion6: Risk assessments are both a critical tool and a foundational piece for any comprehensive cybersecurity plan. Read more here.

The New Aspects of PCI DSS v4.0

It’s important to note the foundational elements of PCI DSS — the 12 core requirements — did not change significantly with the unveiling of PCI DSS v4.0. Those remain in place and serve as the critical building blocks for securing payment card data. However, the requirements have been redesigned to dial in on security objectives and guide how security controls should be implemented.

Increased Authentication Requirements

The new standard recognizes that identity and access management play a vital role in safeguarding card holder data. PCI DSS v4.0 closely aligns with the NIST guidance on digital identities for authentication and life cycle management. As the payments industry has moved to the cloud, stronger authentication standards to payment and control access logins are necessary. PCI DSS v4.0 requires:

• Multi-factor authentication (MFA) usage for all accounts that have access to the card holder data
• Passwords for accounts used by applications and systems must be changed at least every 12 months and upon suspicion of compromise
• Use of strong passwords for accounts used by applications and systems, which must contain at least 15 characters, including numeric and alphabetic characters. PCI DSS requires that the prospective passwords be compared against the list of known bad passwords.
• Access privileges must be reviewed at least once every six months
• Vendor or third-party accounts may be enabled only as needed and monitored when in use

New Customized Approach

PCI DSS v4.0 introduces an alternate option for meeting compliance: customized implementation. This approach considers the intent of the objective and allows entities to design their own security controls to meet it. This customized control can then be assessed in place of the control that is being substituted, allowing for a long-term customization rather than a shorter-term “compensating” control. This gives the PCI DSS similar flexibility to that found within ISO 27001. That said, expect auditors to challenge customized controls. Trying to replace the entire PCI control set with your own probably won’t fly, but in a few strategic cases this option may prove very useful for some merchants and service providers.

Clarification to “Significant Change”

Several key PCI DSS concepts were clarified in the new standard, and chief among them was a more substantial definition of a “significant change.” While an exact definition of this qualifier remains absent, PCI DSS v4.0 does provide examples and descriptions of what constitutes a "significant change" now. This is a key addition because of the many interim adaptations and updates in the mobile payments industry in the United States.

What’s the Timeline for PCI DSS v4.0?

Adopting PCI DSS v4.0 will remain optional until March 31, 2024, when PCI DSS v. 3.2.1 will be retired. Assessments performed after that date must be under version 4.0. Companies will be able to opt-in to version 4.0 in the coming months once the self-assessment questionnaires and other supporting documents are released.

This two-year transition period gives organizations time to learn about the changes, update their reporting forms and implement new processes to meet the updated requirements.

Several of the new requirements added for version 4.0 will not become mandatory until March 31, 2025 — or nearly three years from now. Until that date these requirements are considered best practices for entities that opt-in to PCI DSS v4.0 early.

Smart organizations won’t wait until the last minute to begin moving towards these new requirements but will begin now and give themselves plenty of time to budget and implement new solutions.

Secure payments and data with Inversion6: Get tips for protecting, coordinating and preparing your organization for evolving threats with a sustainable IT Security program.

Inversion6 Walks You Through the Process

The PCI DSS v4.0 changes are just one of several new security standards enacted in 2022. Working with a trusted security partner, with a well-established track record in cybersecurity compliance, is essential to navigating a path forward.

• An update to ISO 27001 (data protection) was also released this spring, its first in a decade. 
• New requirements are on the way from the SEC for cybersecurity disclosures. 
• The Cybersecurity Maturity Model Certification (CMMC) program (standards for defense industrial base contractors and subcontractors), is undergoing changes. 
• The newest version of HITRUST CSF (9.6) (healthcare sector data) was released in February.

Inversion6 (formerly MRK Technologies) has helped clients keep their data safe, secure and compliant with such standards for more than 30 years. We’re the proven risk management provider that delivers the information you need to prepare your organization for auditing processes and new certifications. 

At Inversion6, we provide a full suite of information security services to help you define your strategy, deploy the right technology and protect you from malicious attacks. From virtual CISOs to full-service MSSP, we partner with you to protect your business at every level. 

Connect with Inversion6 today to talk to one of our experts or schedule a free consultation to learn how we can keep your organization safe.