Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards for companies that handle credit card information. Since first step of standards were released in 2004, PCI DSS has been updated several times. These changes address specific security needs of the time as well as changes in technology, threats, and industry practices.
The latest set of standards—PCI DSS 4.0—was officially released in March 2022. While the changes are effective starting March 31, 2024, organizations have a transition period of one year to become compliant.
What is PCI DSS 4.0?
PCI DSS 4.0, the latest version of the Payment Card Industry Data Security Standard, introduces several new requirements and updates aimed at enhancing the security of payment card data.
PCI DSS v4.0 includes a variety of changes that aim to meet four key objectives:
- Continue to meet the security needs of the payment industry
- Promote security as continuous process
- Add flexibility for different methodologies
- Enhance validation methods
Unlike previous versions that primarily followed a prescriptive set of requirements, PCI DSS 4.0 introduces a more flexible, outcome-based approach.
Organizations can now use customized controls to meet security objectives, allowing for innovation and addressing unique security risks.
The Customized Approach acknowledges that one size does not fit all in the realm of payment security. The approach allows organizations to leverage innovative technologies and approaches to security.
This flexibility does come with the responsibility of ensuring that custom controls are rigorously designed, implemented, and maintained. Organizations must invest in thorough documentation, risk analysis, and validation efforts to prove the efficacy of their custom security measures.
Organizations who don’t need flexibility implementing and validating PCS DSS may continue to use the traditional Defined Approach approach, which provides more direction about how to meet security objectives.
When Does PCI DSS 4.0 Go Into Effect?
PCI DSS 4.0 was officially released in March 2022. The transition from PCI DSS 3.2.1 to 4.0 is structured to provide organizations with enough time to adapt to the new requirements. There are two key dates for implementing PCI DSS 4.0.
March 31, 2024: PCI DSS 3.2.1 will be deprecated. Going forward, PCI DSS 4.0 is the standard for compliance assessments. The new requirements are considered best practices until March 31, 2025.
April 1, 2025: The new requirements become mandatory for all organizations to be compliant with PCI DSS 4.0.
This phased approach allows organizations time to understand the new requirements, assess their current security controls against these requirements, and make any necessary adjustments or improvements.
Overview of PCI DSS 4.0 Requirements
The broad categories and requirements remain the same. However, there are 63 new requirements. These changes reflect the evolving threat landscape, advancements in technology, and a shift towards more flexible, outcome-based security practices.
We won’t detail all 63 new requirements here, but here is a summary of the changes for all 12 main requirements
Build and Maintain a Secure Network and Systems
1. Install and maintain network security controls
Updated to emphasize a broader range of network security controls beyond traditional firewall configurations, including virtual device and, cloud access controls.
2. Apply secure configurations to all system components
Focuses on securing all types of system components, not just those provided by third-party vendors, through standardized configurations to minimize vulnerabilities.
Protect Account Data
3. Protect stored cardholder data
Introduction of additional requirements for data retention and disposal, ensuring that cardholder data is kept only as long as necessary and securely deleted afterward.
4. Protect cardholder data with strong cryptography during transmission over open, public networks
Reflects the need for strong encryption methods to secure data during transmission across untrusted networks.
Maintain a Vulnerability Management Program
5. Protect all systems and networks from malicious software
Broadens the requirement to protect against various forms of malware across all systems and networks, with a focus on updating anti-malware solutions and the importance of maintaining security systems to detect and protect against evolving threats.
6. Develop and maintain secure systems and software
Addresses the importance of security in the development and maintenance of systems and software.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
Focuses on limiting access on a need-to-know basis and according to job responsibilities.
8. Identify users and authenticate access to system components
Highlights the importance of managing user identities and securing access through strong authentication methods. (These requirements do not apply to accounts used by consumers.)
9. Restrict physical access to cardholder data
Emphasizes the need to secure physical access to systems and environments where cardholder data is processed or stored.
Regularly Monitor and Test Networks
10. Log and monitor all access to system components and cardholder data
Updated logging and monitoring requirements to ensure that all access and activity is tracked, with a focus on the timely detection and response to security incidents.
11. Test security of systems and networks regularly
Focuses on regular testing to identify vulnerabilities and ensure the effectiveness of security controls.
Maintain an Information Security Policy
12. Support information security with organizational policies and programs
Addresses the foundational role of policies, procedures, and security awareness programs in supporting the overall information security framework.
Conclusion
These changes in PCI DSS 4.0 aim to provide organizations with the flexibility to adapt to new security challenges, encourage the use of new security technologies and practices, while protecting cardholder data against theft and misuse. Organizations should carefully review these updates and consider their implications for compliance and overall security.