PCI DSS v4.0 Goal 1: Continuing to meet the security needs of the payment card industry

September 12, 2022

At a glance

The main takeaway: Since PCI DSS 3.2.1 was released in February of 2018, many significant advancements have occurred in both the technologies used to enable payments and the nature of security threats facing the industry. These advancements have driven the four overarching goals of version 4.0. This video outlines the first goal of PCI DSS v4.0, to continue to meet the security needs of the payment card industry.

Impact on your business: Version 4.0 includes new enhancements that will continue to meet the security needs of the payment industry as payment technologies and security threats advance. These include enhancements to address phishing attacks, malicious code and new requirements for Multifactor Authentication (MFA).

Next Steps: Version 3.2.1 will be officially retired on March 31, 2024. Until this date, entities can select between version 3.2.1 or version 4.0 as the standard to demonstrate their PCI compliance status. Due to the considerable changes in version 4.0, Aprio believes it is in the best interest of your business to begin your transition to PCI DSS v4.0 as soon as feasibly possible.

Schedule a consultation with an Aprio PCI DSS Qualified Security Assessor today.

The full story

It has been over 4 years since version 3.2.1 became effective, and during that time, there have been many significant advancements in both the technologies used to enable payments and the nature of the security threats facing the industry.

New phishing requirements
The most significant threat of late, not just to payments, but most industries, is related to phishing. Version 4.0 includes two new requirements to address the phishing threat. The first is to deploy mechanisms to detect and protect against phishing attacks. The second is to conduct security awareness training that focuses on phishing and related social engineering attacks.

Malicious code
Another significant threat specific to the payments industry relates to malicious code placed on payment pages of e-commerce sites that acts as a skimmer of account data. In response to this, 4.0 includes new requirements for merchants to manage all payment page scripts that are loaded and executed in the consumer’s browser. PCI 4.0 also now requires merchants to deploy a change-and-tamper detection mechanism for payment pages.

PCI v4.0 Multifactor Authentication (MFA)
Finally, another common threat vector addressed by 4.0 is the area of access and authentication. Version 4.0 strengthens requirements in this area by increasing password requirements from 7 characters to 12 and by adding a requirement for Multifactor Authentication (MFA) to be used for any access to the Cardholder Data Environment. In version 3.2.1, MFA was only required for remote access.

These are just some of the many changes in 4.0 designed to help ensure the PCI DSS continues to meet the needs of the payments industry.

Related Resources

We have created a series of videos to drill down into the purpose and intent of these goals and the changes represented in 4.0 to achieve these goals.