by

PCI DSS v4.0 - What's New?

The PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect payment data. It has been over 8 years since the last major update but now the PCI DSS v4.0 is out. The PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats. The PCI DSS v4.0 provides the most comprehensive information security standard for companies forming a baseline of technical and operational requirements designated to protect payment data. The development of PCI DSS v4.0 was driven by industry feedback with more than 200 organisations providing feedback on over 6,000 items over a period of three years. This is because the PCI Security Standards Council is continually looking at the way the industry operates and looking for ways to improve it. The PCI Security Standards Council’s mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.

The current version of PCI DSS, v3.2.1, will remain active for two years until it is retired on 31 March 2024 to provide organisations time to understand the changes in version 4.0 and implement any updates needed. Any assessments performed after that date will have to be under version 4.0. Organisations will be able to opt-in to version 4.0 in the coming months once the supporting documentation is released.

Several of the new requirements added for version 4.0 will not become mandatory until 31 March 2025. Until that date, these requirements are considered “Best Practice” for entities that opt-in to version 4.0 early.

With PCI DSS 4.0 merchants and service providers have additional checks to perform:

Yearly or after significant change documentation and confirmation of the PCI DSS scope of the in-scope environment (PCI DSS 12.5.2) with additional documentation requirements for service providers (PCI DSS 12.5.2.1-2).

Customised approach controls: Target risk analysis is required yearly with written approvals by senior management (PCI DSS 13.3.2). In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customised controls are needed to meet PCI DSS requirements. The defined approach means following the control processes for the requirements already laid out in PCI DSS v4.0. 

The customised approach means following a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement.

Yearly risk analysis for any controls that have flexibility for the frequency of controls (PCI DSS 13.3.1). Please note that this is best practice until 2025.

Yearly review for cipher suites and protocols (PCI DSS 12.3.3). Please note that this is best practice until 2025. Under this new requirement, you are now obligated to document and review cryptographic cipher suites and protocols at least annually. Reviews should include information such as: The categorisation of information system the cryptographic cipher protects, an assessment of cryptographic cipher effectiveness and a determination if the cipher is necessary for the operational function of information system(s). Information security requirements must be met and integrated in the enterprise architecture and system development life cycle process. They should also align with business and risk strategies as established by senior leadership.

Tackling outdated technologies: At least an annual review of hardware and software technologies in use with a plan to remediate outdated technologies. This requires approval by senior management (PCI DSS 12.3.4). Please note that this is best practice until 2025.

Looking overall at the changes in PCI DSS v4.0, it continues to meet the security needs of the payment industry. It offers evolving requirement changes to ensure that the standard is up to date with emerging threats and technologies as well as changes in the payment industry. There are clarification updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic. There are also structural changes such as reorganisation of content, including combining, separating, and renumbering of requirements to align content.

The new standard provides extended multi-factor authentication requirements with updated password requirements and e-commerce and phishing requirements to address ongoing threats. At the same time, it is promoting security as a continuous process with clearly assigned roles and responsibilities for each requirement adding guidance to help people better understand how to implement and maintain security.

It provides increased flexibility for organisations using different methods to achieve security objectives allowing more options to achieve a requirement’s security objective, supporting payment technology innovation. It also supports enhanced validation methods and procedures with increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarised in an Attestation of Compliance.

ProCheckUp recommends an early assessment against the new PCI DSS 4.0 standard to highlight opportunities for improvement and compliance gaps.

Table of Changes

There are changes to the PCI DSS introductory sections, general changes to the PCI DSS requirements and additional changes per requirement. With regards to the latest, there is a number of new requirements or requirement bullets points.  These can be seen next:

2.1.2

Roles and responsibilities for performing activities in this requirement are documented, assigned, and understood.

New requirement bullet point

3.1.2

Roles and responsibilities for performing activities in this requirement are documented, assigned, and understood.

New requirement

3.2.1

Any SAD stored prior to completion of authorization is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.

New requirement bullet point

3.3.2

 

SAD stored electronically prior to completion of authorization is encrypted using strong cryptography

New requirement bullet point

3.4.2

 

(moved from 12.3.10) Technical controls to prevent copy and/or relocation of PAN when using

remote-access technologies except with explicit authorization.

 

New requirement bullet point

3.5.1.1

Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN with associated key management processes and procedures

 

New requirement bullet point

3.5.1.2

 

Implementation of disk-level or partition level encryption when used to render PAN unreadable.

New requirement bullet point

3.6.1.1

A documented description of the cryptographic architecture includes prevention of the use of cryptographic keys in production and test environments

New requirement bullet point

4.1.2

Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood

New requirement

4.2.1

Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.

New requirement bullet point

3.6.1.1

A documented description of the cryptographic architecture includes prevention of the use of cryptographic keys in production and test environments

New requirement bullet point

4.1.2

Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood

New requirement

4.2.1.1

An inventory of the entity’s trusted keys and certificates is maintained.

New requirement bullet point

5.1.2

Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.

New requirement

5.2.3.1

A targeted risk analysis is performed to determine frequency of periodic evaluations of system components identified as not at risk for malware

New requirement bullet point

5.3.2.1

A targeted risk analysis is performed to determine frequency of periodic malware scans.

 

New requirement bullet point

5.3.3

Anti-malware scans are performed when removable electronic media is in use.

New requirement bullet point

5.4.1

Mechanisms are in place to detect and protect personnel against phishing attacks.

New requirement bullet point

6.1.2

Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.

New requirement

6.3.2

Maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management.

New requirement bullet point

6.4.2

Deploy an automated technical solution for public-facing web applications that continually detects and prevents web based attacks.

New requirement bullet point

6.4.3

Manage all payment page scripts that are loaded and executed in the consumer’s browser.

New requirement bullet point

7.1.2

Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.

New requirement

7.2.4

Review all user accounts and related access privileges appropriately.

New requirement bullet point

7.2.5

Assign and manage all application and system accounts and related access privileges appropriately

New requirement bullet point

7.2.5.1

Review all access by application and system accounts and related access privileges.

New requirement bullet point

8.1.2

Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood.

New requirement

8.3.6

Minimum level of complexity for passwords when used as an authentication factor.

New requirement bullet point

8.3.10.1

If passwords/passphrases are the only authentication factor for customer user access, passwords/passphrases are changed at least every 90 days or the security posture of accounts is dynamically analyzed to determine real time access to resources.

New requirement bullet point

8.4.2

Multi-factor authentication for all access into the CDE.

New requirement bullet point

8.5.1

Multi-factor authentication systems are implemented appropriately.

New requirement bullet point

8.6.1

Manage interactive login for accounts used by systems or applications.

New requirement bullet point

8.6.2

Passwords/passphrases used for interactive login for application and system accounts are protected against misuse.

New requirement bullet point

8.6.3

Passwords/passphrases for any application and system accounts are protected against misuse.

New requirement bullet point

9.1.2

Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.

New requirement

9.5.1.2.1

A targeted risk analysis is performed to determine frequency of periodic POI device inspections.

New requirement bullet point

10.1.2

Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.

New requirement

10.4.1.1

Audit log reviews are automated.

New requirement bullet point

10.4.2.1

A targeted risk analysis is performed to determine frequency of log reviews for all other system components.

New requirement bullet point

10.7.2

Failures of critical security control systems are detected, alerted, and addressed promptly.

New requirement bullet point

10.7.3

Failures of critical security control systems are responded to promptly.

New requirement bullet point

11.1.2

Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.

New requirement

11.3.1.1

Manage all other applicable vulnerabilities (those not ranked as high risk or critical).

New requirement bullet point

11.3.1.2

Internal vulnerability scans are performed via authenticated scanning.

New requirement bullet point

11.4.7

Multi-tenant service providers support their customers for external penetration testing.

New requirement bullet point

11.5.1.1

Covert malware communication channels detect, alert and/or prevent, and address via intrusion-detection and/or intrusion-prevention techniques.

New requirement bullet point

11.6.1

A change-and-tamper-detection mechanism is deployed for payment pages.

New requirement bullet point

12.3.1

A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed

New requirement bullet point

11.3.1.2

Internal vulnerability scans are performed via authenticated scanning.

New requirement bullet point

12.3.2

A targeted risk analysis is performed for each PCI DSS requirement that is met with the customized approach.

New requirement

12.3.3

Cryptographic cipher suites and protocols in use are documented and reviewed.

New requirement bullet point

12.3.4

Hardware and software technologies are reviewed.

New requirement bullet point

12.5.2

PCI DSS scope is documented and confirmed at least once every 12 months

New requirement

12.5.2.1

PCI DSS scope is documented and confirmed at least once every six months and upon significant changes.

New requirement bullet point

12.6.2

The security awareness program is reviewed at least once every 12 months and updated as needed.

New requirement bullet point

12.6.3.1

Security awareness training includes awareness of threats that could impact the security of the CDE, to include phishing and related attacks and social engineering.

New requirement bullet point

12.6.3.2

Security awareness training includes awareness about acceptable use of end user technologies.

 

New requirement bullet point

12.9.2

TPSPs support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP.

 

New requirement

12.10.4.1

 (best practice until 2025) A targeted risk analysis is performed to determine frequency of periodic training for incident response personnel.

New requirement bullet point

12.10.7

Incident response procedures are in place and initiated upon detection of PAN.

New requirement bullet point

A1.1.1

The multi-tenant service provider confirms access to and from customer environment is logically separated to prevent unauthorized access.

New requirement bullet point

A1.1.4

The multi-tenant service provider confirms effectiveness of logical separation controls used to separate customer environments at leave once every six months via penetration testing.

New requirement bullet point

A1.2.3

The multi-tenant service provider implements processes or mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities.

New requirement bullet point

A3.3.1

Failures of the following are detected, alerted, and reported in a timely manner: Automated log review mechanisms Automated code review tools.

New requirement bullet point

Appendix D

Customized Approach

New section

Appendix E

Sample Templates to Support Customized Approach

New section

Appendix F

Leveraging the PCI Software Security Framework to Support Requirement 6

New section

Appendix G

PCI DSS Glossary of Terms, Abbreviations, and Acronyms

New section