It’s finally here. On March 31, the PCI Security Standards Council (PCI SSC) released the long-awaited v4.0 of the Payment Card Industry Data Security Standard (PCI DSS), establishing a new baseline of technical and operational standards for protecting account data.
PCI DSS v4.0 replaces PCI DSS v 3.2.1 to better address emerging threats and technologies and provide “innovative” ways to combat new threats, according to the PCI SSC. The revised standard reflects more than 6,000 pieces of feedback from more than 200 organizations, which, the PCI SSC noted in a statement, ensures that it “remains relevant in the complex and ever-changing payment security environment.”
‘Next-Generation’ Standard, New Objectives
Not surprisingly, the PCI SSC deems v4.0 a “next-generation” standard, with some new objectives and, accordingly, significant changes. Specifically:
- Developing security methods as threats change, so as to continue to fulfill the security needs of the payments industry. In keeping with this objective, multi-factor authentication (MFA) requirements are more stringent than in the past, while password requirements have been updated. New e-commerce and phishing standards have been implemented to address current concerns about these issues.
- Adding new requirements with an ongoing understanding of security, so as to promote security as a continuous process. Accordingly, v4.0 contains assigned roles and responsibilities for each requirement and includes guidance to help merchants better understand how to implement and maintain security. The reporting option highlights areas for improvement and provides for greater transparency for report reviewers.
- Incorporating new requirements to enable more options and support payment technology innovation, in turn giving organizations increasing flexibility when it comes to achieving their security goals. Consequently, the updated standard includes provisions for permissions on group, shared, and public accounts. Provisions for targeted risk analysis that aim to allow organizations to enable the frequency of performing certain activities are also included under the umbrella of this objective. So, too, are provisions that give organizations the opportunity to use a customized approach to achieve their security goals. The latter, according to the PCI SSC, is a “new way to enforce and validate PCI DSS requirements.”
- Developing detailed verification and reporting options to improve verification methods and procedures. PCI DSS v4.0 consequently features increased congruence between information reported in a PCI Compliance Report or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.
Changes Explained
The PCI SSC has, on its website, also laid out a high-level overview of some of the key changes reflected in the updated standard. Specifically:
- In the heading of Requirement 1, the term “network security controls” replaces the term “firewalls and routers” to support a broader range of technologies used to attain security objectives traditionally met by firewalls.
- The core requirements header of Requirement 2 now reflects a general focus on secure configurations, rather than the previous general focus on manufacturer-provided defaults.
- Requirement 3 features an updated main requirements header to reflect the focus on account data.
- An updated core requirement header for Requirement 4 reflects a focus on “core cryptography” to protect the transmission of cardholder data.
- An updated core requirement header for Requirement 5 reflects a focus on protecting all systems and networks from malware. The term “anti-virus” has been replaced by “anti-malware” to support a wider range of technologies used for security goals typically met by anti-virus software.
- The core requirement header for Requirement 6 has been updated with the replacement of the term “applications” with the term “software.” A clarification in this requirement stipulates that Requirement 6 applies to all system components. One exception: Requirement 6.2 applies only to custom-developed software.
- In addition to being standardized with “authentication factor” and “authentication information,” Requirement 8 no longer includes the term “non-consumers.” It features a clarification that the requirements do not apply to accounts used by “consumers” (cardholders). A statement that requirements do not apply to user accounts that only have access to one card number at a time has been removed and appended to each applicable criterion.
- Requirement 10 features an updated core requirement header to reflect a focus on audit logs, system components, and cardholder data. The term “audit traces” replaces the term “audit logs.”
- An updated core requirement heading for Requirement 12 reflects a focus on corporate policies and programs that support information security.
Transition Period
PCI DSS v3.2.1 will be operational for two years, with a transition period between that version and v4.0 spanning March 2022 to March 31, 2024. As of March 31, 2024, v3.2.1 will be retired and v4.0 will be the only active version of the standard. The transition period is meant to allow organizations time to grasp the changes in v4.0 and apply the necessary adjustments.