The Payment Card Industry Security Standards Council recently published an update to its information security standard for processing credit and debit card information.
Version 4 of the PCI DSS (Data Security Standard), which takes effect in March 2024, is highlighted by its “customized approach” and its increasing focus on outcome-based requirements.
The move follows widespread changes to the economy and the way organisations operate in the years since v3.2.1 was published. Most notably, there has been COVID-19 and the rapid increase of online and contactless payments.
There has also been an increase in organisations using Cloud platforms to store personal data, while the threat of cyber crime has continued to grow.
So how have those changes been reflected in PCI DSS v4.0? We explain everything you need to know in this blog.
What’s new in PCI DSS v.4.0?
The main change in the PCI DSS is the increased flexibility it provides to organisations depending on their circumstances.
Previous versions of the Standard had been highly prescriptive, with a specific framework on how covered entities must meet their requirements.
With v.4.0, organisations are able to substitute its own control to meet the objective of any PCI DSS requirement in place of the defined requirement.
However, there are strict rules on how organisations can do this. Under the “customized approach”, organisations must define substituted controls, explain how it operates and is maintained, and describe how it meets the objective of the original PCI DSS requirement.
Organisations must also describe how it has tested that the control meets the objective and the results of the testing. Additionally, they are required to complete a risk assessment for every requirement treated this way.
Find out more about how to achieve compliance by reading PCI Audit Success in Nine Essential Steps.
This green paper help organisations to prepare for a PCI audit and ensure a successful outcome.
The latest version of the Standard also overhauls organisations’ scoping requirements. Version 4 introduces a specific requirement stating that covered entities must define and document the scope of the CDE (cardholder data environment), including identifying data flows and any segmentation controls.
This process must be performed annually and after any significant change to the environment.
PCI DSS v4.0 also introduces changes to the risk assessment process. Covered entities are no longer required to conduct an organisation-wide risk assessment, but there are several new rules related to targeted assessments. These include risk assessments in relation to any vulnerability identified and to determine how often the organisation conducts:
- Assessments of components not at risk of malware;
- Malware scans;
- POI device inspections;
- Log reviews for ‘other’ system components;
- Incident response training; and
- Mandatory changes of passwords used for application and system access accounts.
Other changes to the Standard reflect more up-to-date information processing environments. For example, v4.0 recognises that network controls, especially in Cloud environments, do not always use firewalls and routers.
Likewise, the new rules further emphasise the importance of strong passwords, mandating that employees’ login credentials be at least 12 characters (or 8 if the organisation’s systems do not permit such long passwords).
PCI DSS v4.0 also gives organisations the option to determine access to resources automatically by dynamically analysing the security posture of accounts, rather than changing passwords every 90 days.
As well as amending existing requirements, PCI DSS v4.0 introduces several new rules. These include the mandatory use of:
- Automated mechanisms to protect against phishing;
- Web application firewalls; and
- Automated mechanisms to conduct log reviews.
There are also additional requirements relating specifically to application- and system-level accounts.
Finally, there are numerous changes to the wording and numbering of requirements even where the actual requirements have remained largely as they were in v3.2.1.
Where organisations have prepared policies and procedures that cross-refer to specific requirements, this alone will require extensive review and updating of such policies and procedures.
PCI DSS compliance made easy
For those looking for help completing their PCI DSS compliance requirements, IT Governance is here to help.
Our PCI DSS Documentation Toolkit contains everything you need to achieve compliance. It contains template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organisation.