The Future is Now, PCI DSS 4.0

When customers provide a company with their credit card information, they trust that their data will be processed, stored, and transmitted securely. To ensure that businesses meet that expectation, major credit card companies alongside the PCI Security Standards Council, created the Payment Card Industry Data Security Standard or PCI DSS for short. PCI DSS is a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of data being breached. 

PCI DSS v4.0 was officially released on March 31st, 2022. As technology evolves, so do the attack tactics and capabilities of bad actors trying to compromise systems. The differences between PCI DSS v3.2.1 and v4.0 are therefore expected to align the standard with the latest changes in the security landscape, expand requirements into a few innovative technology areas, and provide clearer guidance for businesses to follow.  

To provide organizations time to understand the changes in version 4.0, the current version of PCI DSS, v3.2.1 will remain active for two years until it is retired on March 31, 2024. Once assessors have completed training in PCI DSS v4.0, organizations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1 until that date of March 31, 2024. The standard also provides additional time for organizations to implement many of the new requirements. 

Updates to the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures. Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website.

Key areas of focus and examples of the changes in PCI DSS v4.0 include:

1. Continue to meet the security needs of the payments industry

  • Expanded multi-factor authentication requirements.
  • Updated password requirements.
    • Passwords/passphrases for accounts used by applications and systems are changed at least every 12 months and upon suspicion of compromise.
    • Password/passphrases for accounts used by applications and systems meet the following minimum level of complexity: A minimum of at least 15 characters, contain both numeric and alphabetic characters and prospective passwords/passphrases are compared against the list of known bad passwords as PCI DSS requires.
  • New e-commerce and phishing requirements to address ongoing threats.

2. Promote security as a continuous process.

  • Clearly assigned roles and responsibilities for each requirement.
  • Added guidance to help people better understand how to implement and maintain security.
  • New reporting option to highlight areas for improvement and provide more transparency for report reviewers.

3. Increase flexibility for organizations using different methods to achieve security objectives.

  • Allowance of group, shared, and generic accounts.
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.

4. Enhance validation methods and procedures.

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

The term ‘PCI compliant’ is not an empty buzz-phrase but something potential clients and customers are actively seeking. Consumers will always opt to work with compliant as opposed to noncompliant organizations. There is no getting around that. Noncompliance is linked in people’s minds to higher risk and a lack of professionalism. Reach out to Brockton Point Solutions on how we can help you prepare for the changes and remain compliant as we shift to PCI DSS v4.0.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top