Navigating the Impact of PCI DSS v4.0: The Top 9 New Requirements Service Providers Need to Be Aware of

At a glance

• Main takeaway: Identifying all the changes brought on by PCI DSS v4.0 will take some time, but we highlighted the top 9 requirements that will have the biggest impact.
• Impact on your business: While the new requirements in PCI DSS v4.0 will reshape the compliance landscape for everyone involved, service providers will be the most impacted.
• Next steps: Aprio’s Information Assurance Services team can navigate your company through the implementation and impact of PCI DSS v4.0.

Are you ready to learn more? Schedule a conversation with our team.

The full story:

The ever-evolving landscape of data security standards is once again poised to send ripples through the business world, and this time, it’s the new version of PCI DSS that’s taking center stage. The imminent changes in PCI DSS v4.0 are on the brink of reshaping the compliance landscape for everyone involved, from the most complex of service providers to the online merchants who have so far contended with relatively minimal compliance requirements. However, within this shifting landscape, it’s the service providers who will be the most impacted.

This article zeroes in on some of the highest impact changes that will affect service providers. Although this article is not exhaustive, hopefully it will provide you with a high-level overview of the changes that have the greatest potential to disrupt security operations, capital and human resource expenditures, and changes to software and infrastructure.

A Note about Future Dated Requirements:

PCI DSS v4.0 is laced with future dated requirements. PCI released PCI DSS v4.0 in March of 2022, allowing all stakeholders ample time to strategize and implement requisite changes. Each requirement described here will include its implementation deadline.

Please note that all future dated requirements do not become mandatory until March 31, 2025.

The Top 9 New Requirements Reshaping Service Providers’ Landscape in PCI DSS v4.0

Requirements 2 through 11: Roles and Responsibilities

Effective immediately with PCI DSS v4.0

Effectively immediately within PCI DSS v4.0, entities will be required to document the roles and responsibilities within the organization for performing the various activities defined within each PCI requirement. The sub-requirements may be addressed through either a standalone responsibility document or integration within established policies. While a RACI matrix is a plausible strategy for addressing this requirement, more complex organizations may need to document roles and responsibilities directly within policies or procedures. Personnel are also required to acknowledge their acceptance and understanding of these requirements.

PCI does not prescribe a methodology for meeting these requirements, leaving the entity free to decide on which approach best suits their needs.

Requirement 3.5.1.1: New Requirements for Use of Cryptographic Hashing

Effective as of 03/31/2025

PCI has strengthened multiple requirements related to the security of account data at rest. Of all these, requirement 3.5.1.1 may present a serious challenge for some software publishers who have used unkeyed hashing functions or stored Primary Account Numbers (PAN) in clear text within the Cardholder Data Environment (CDE).

Moving forward, entities employing hashes to render PAN unreadable will be required to utilize keyed cryptographic hashes to render any PAN unreadable. Key management processes must also be implemented to document and govern this process.

Requirement 3.5.1.2-3: Encryption Requirements Beyond Full Disk Encryption

Effective as of 03/31/2025

The era of disk-level encryption, frequently referred to as Full Disk Encryption (FDE), as a viable control mechanism for safeguarding PAN is drawing to a close. Requirements 3.5.1.2 and 3.5.1.3 introduce a series of new requirements for securing data at rest through more effective implementation of cryptography. These requirements include:

• Requiring that any hashes used to render PAN unreadable use a keyed cryptographic hash of the entire PAN.
• Use of FDE as a sole means of rending PAN unreadable on anything besides removable media must be combined with the use of one-way hashing, truncation, indexing, or strong cryptography (and associated secure management of the encryption keys).
• Logical access to the encrypted data, encryption keys and authentication factors used to access the data must be managed independently of the users’ logical access to the native operating system.

FDE remains obligatory for removable media.

Requirement 6.4.3: Ensuring Integrity of Payment Page Scripts

Effective as of 03/31/2025

Publishers or SaaS payment solutions will soon be faced with the requirement to provide additional security and integrity safeguards for payment page scripts that are loaded and executed in the consumer’s browser. PCI states that the intent of the new requirement is not to require installation of additional software or browser plugins on the consumer’s browser.

Rather, PCI suggests addressing the requirement through solutions such as the following:

• Sub-resource integrity (SRI), which allows the consumer browser to validate that a script has not been tampered with.
• A Content Security Policy (CSP), which limits the locations the consumer browser can load a script from and transmit account data to.
• Proprietary script or tag-management systems, which can prevent malicious script execution.

These are all suggestions, as PCI does not limit the techniques that may be used to meet the requirement.

Requirement 8.4.2-3: MFA Is Required for All CDE Access

Effective as of 03/31/2025

Multi-factor authentication (MFA) will become mandatory for all interactions within the CDE. This new requirement expands on the PCI DSS v3.2.1 requirement, where MFA was confined to remote CDE access. The criteria for authentic MFA are further defined as well, banishing the practice of employing a singular factor twice as a suitable MFA strategy. Entities should consider the impact to budgets if they do not already have an MFA solution implemented for all access into the CDE.

Requirement 10.4.1.1: Audit Log Reviews Must Be Automated

Effective as of 03/31/2025

Automated log reviews will become mandatory, leaving behind the requirement for daily manual log reviews. While many organizations have already embraced Security Information Event Management (SIEM) solutions for log consolidation and review, this change will provide additional impetus to implement a centralized and automated logging solution.

Requirement 11.3.1.2: Internal Vulnerability Scans Require Authenticated Scanning

Effective as of 03/31/2025

Requirements for internal vulnerability scans take a significant step forward, requiring the application of authentication credentials for scans with sufficient privileges to complete administrative level scans. This new requirement will provide a higher degree of insight into the entity’s vulnerability landscape but may also reveal a number of new issues that will require remediation to meet PCI requirements. Teams should plan to implement authenticated scanning as soon as possible to avoid potential compliance issues once this requirement goes into full effect in 2025.

Requirement 12.5.2.1: Scope Validation Must Be Completed Every Six Months

Effective as of 03/31/2025

The frequency of Service Provider Scope Validation will transition from an annual to a biannual schedule. This requirement works in concert with Requirement 12.5.3, which requires updating all documentation (i.e., network and data flow diagrams, policies and procedures) after any significant change impacting PCI DSS scope.

Appendix A1: Clarification on the Applicability of Annex A.1

Effective as of 03/31/2025

All mention of shared-hosting providers has been updated to refer to multi-tenant service providers. This shift eliminates the ambiguity over whether the requirement was applicable to cloud services/hosting providers under PCI DSS v3.2.1. Consequently, cloud services/hosting providers are now obligated to address the requirements of Appendix A1.

Next Steps for PCI DSS v4.0

Identifying all the ways PCI DSS v4.0 will impact your organization may require some time. For service providers, numerous substantial changes are anticipated, which could profoundly affect your organization. Fortunately, PCI has generously provided entities with ample time to ready themselves for the complete enforcement of PCI DSS v4.0 by March 31, 2025.

Aprio’s Information Assurance Services team has diligently worked to ensure all our clients are prepared for this transition. We have seamlessly integrated a comprehensive gap assessment into all evaluations scheduled for 2023 and 2024. If you are ready to take the next steps, we can help you initiate the planning process for these impending changes without delay, particularly if you anticipate that any of the new requirements might entail additional capital expenditures or personnel expenses.

In your preparations for the adoption of PCI DSS v4.0, Aprio has developed PCI DSS v4.0 resource guides to help facilitate the operationalization of PCI DSS v4.0 within your organization. To learn more, connect with our Information Assurance Services team today.

Related Resources/Assets/Aprio.com articles/pages

PCI DSS v4.0: Navigating Changes and the Implementation Timeline

PCI DSS v4.0: New MFA Requirements

About Aprio’s PCI DSS Services

Are you ready to learn more? Schedule a conversation with our team.