PCI DSS v4.0
PCI DSS v4.0 is here and signals a substantial evolution in safeguarding payment card data. Now is the time for your company to start preparing to make the shift
Identify the critical changes that may have the most impact on your organization.
Companies Seeking PCI Readiness Support
Companies Seeking an Assessment
PCI DSS Version 4.0: What You Need to Know
On March 31, 2024, the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 will officially retire, and the new iteration of PCI DSS v4.0 becomes mandatory.
Aprio has been at the forefront of PCI DSS v4.0. 100% of our current client base has adapted the standard and we have created the methodologies and resources to help organizations transition successfully.
What Are the Most Important Things to Know?
The transition from PCI DSS v3.2.1 to the freshly minted v4.0 introduces a host of changes in both compliance reporting and new security requirements. The PCI Security Standards Council (SSC) has constructed a long runway for the shift. Over the past year, Aprio has onboarded 100% of our clients onto the PCI v4.0 standard ahead of the March 31, 2024, deadline. This date marks the formal retirement of v3.2.1 and the official inauguration of v4.0 as the singular standard.
Understanding Immediate vs. Future Dated Requirements
Effective immediately upon adoption of PCI DSS v4.0, 15 of the 63 new requirements are applicable, though 11 of these may be addressed in a single effort across requirements 1 to 11 of PCI DSS’s high level family of requirements.
The remaining 51 requirements must be implemented by March 31, 2025, based on their applicability to the entity based on scope and the entity’s classification as a Third-Party Service Provider (TSPS) or Merchant.
PCI requirements effective immediately:
PCI Req # 1-11:X.1.2
Requirement: Roles and responsibilities for performing activities (in requirements 1-11) are documented, assigned and understood. All Entities
PCI Req # 6.3.3
Requirement: Both critical and high security patches must be installed within one month of release. (Previously, this requirement only applied to critical security patches.)
PCI Req #12.5.2
Requirement: Document / confirm PCI scope at least every 12 months and upon significant changes.
PCI Req #12.9.2
Requirement: TPSPs must support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP.
The applicability of the additional 63 requirements that go into effect as of March 31, 2025 will vary based on the nature of the your business. Aprio provides free PCI DSS 4.0 readiness workshops. Reach out to a member of our team to schedule yours.
Understanding Immediate vs. Future Dated Requirements
Effective immediately upon adoption of PCI DSS v4.0, 15 of the 63 new requirements are applicable, though 11 of these may be addressed in a single effort across requirements 1 to 11 of PCI DSS’s high level family of requirements.
The remaining 51 requirements must be implemented by March 31, 2025, based on their applicability to the entity based on scope and the entity’s classification as a Third-Party Service Provider (TSPS) or Merchant.
PCI requirements effective immediately:
| PCI Req # | Requirement | |||
|---|---|---|---|---|
| 1-11: X.1.2 | Roles and responsibilities for performing activities (in requirements 1-11) are documented, assigned and understood. | |||
| 6.3.3 | Both critical and high security patches must be installed within one month of release. (Previously, this requirement only applied to critical security patches.) | |||
| 12.5.2 | Document / confirm PCI scope at least every 12 months and upon significant changes. | |||
| 12.9.2 | TPSPs must support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. | |||
The applicability of the additional 63 requirements that go into effect as of March 31, 2025 will vary based on the nature of the your business. Aprio provides free PCI DSS 4.0 readiness workshops. Reach out to a member of our team to schedule yours.
Get Familiar with the PCI DSS Customized Approach
A new facet in v4.0 of PCI DSS is the Customized Approach, which offers additional flexibility to organizations using different security technologies that meet the intent of PCI DSS requirements, but don’t comply with the traditional, defined approach.
The Customized Approach allows for implementation of tailored methods and controls for meeting a PCI DSS requirement based on addressing the risk objective of a requirement. It empowers organizations to implement controls most suited to their environment, with assessors crafting testing procedures tailored to the specific solutions in place.
While it may be tempting to use this tool, it sparingly due to the additional compliance burden it places on the organization. To date, its usage has been limited to emerging technologies and bleeding-edge scenarios. The PCI Security Standards Council has published an informative post helping entities determine if the customized approach is right for them.
Completing the Targeted Risk Analysis
One of the biggest changes to PCI DSS v4.0 is the Targeted Risk Analysis (TRA) which provides additional flexibility over how often certain controls operate to meet a requirement, and to also document risk analysis completed for requirements where the customized approach is used to meet a requirement.
There are approximately 10 requirements that require completion of a Targeted Risk Analysis (TRA), not including any requirement where the customized approach is used
Documenting the Targeted Risk Analysis:
Organizations are free to use any format they wish to document their targeted risk analysis and may expand their current information risk assessment process to documents the elements required by PCI DSS (see the bulleted list above).
PCI DSS recently published templates to support entities in documenting TRAs, and also provides a template in appendix E2 of the PCI DSS v4 standard. PCI provided templates may be used but are not mandatory. A simple spreadsheet documenting the same data elements is also sufficient.
If you need additional support or guidance on completing your initial Targeted Risk Analysis exercise, Aprio provides free PCI DSS 4.0 readiness workshops. Reach out to a member of our team to schedule yours.
For Service Providers Only: Be Aware of the Following
There are also a number of new PCI DSS requirements specific to Service Providers. Below is a brief summary of the highest impact changes. Read our longer format article for more detailed information.
| Requirement | Description |
|---|---|
| Roles and Responsibilities | Entities will be required to document the roles and responsibilities within the organization for performing the various activities defined within each PCI requirement. The sub-requirements may be addressed through either a standalone responsibility document or integration within established policies. |
| New Requirements for Use of Cryptographic Hashing | Moving forward, entities employing hashes to render PAN unreadable will be required to utilize keyed cryptographic hashes to render any PAN unreadable. Key management processes must also be implemented to document and govern this process. |
| Encryption Requirements Beyond Full Disk Encryption |
Requirements 3.5.1.2 and 3.5.1.3 introduce a series of new requirements for securing data at rest through more effective implementation of cryptography. These requirements include: - Requiring that any hashes used to render PAN unreadable use a keyed cryptographic hash of the entire PAN. - Use of Full Disk Encryption (FDE) as a sole means of rending PAN unreadable on anything besides removable media must be combined with the use of one-way hashing, truncation, indexing, or strong cryptography (and associated secure management of the encryption keys). - Logical access to the encrypted data, encryption keys and authentication factors used to access the data must be managed independently of the users’ logical access to the native operating system. - FDE remains obligatory for removable media. |
| Ensuring Integrity of Payment Page Scripts | Publishers or SaaS payment solutions will soon be faced with the requirement to provide additional security and integrity safeguards for payment page scripts that are loaded and executed in the consumer’s browser. PCI states that the intent of the new requirement is not to require installation of additional software or browser plugins on the consumer’s browser. |
| MFA Is Required for All CDE Access | Multi-factor authentication (MFA) will become mandatory for all interactions within the CDE. This new requirement expands on the PCI DSS v3.2.1 requirement, where MFA was confined to remote CDE access. The criteria for authentic MFA are further defined as well, banishing the practice of employing a singular factor twice as a suitable MFA strategy. Entities should consider the impact to budgets if they do not already have an MFA solution implemented for all access into the CDE. |
| Audit Log Reviews Must Be Automated | Automated log reviews will become mandatory, leaving behind the requirement for daily manual log reviews. While many organizations have already embraced Security Information Event Management (SIEM) solutions for log consolidation and review, this change will provide additional impetus to implement a centralized and automated logging solution. |
| Internal Vulnerability Scans Require Authenticated Scanning | Requirements for internal vulnerability scans take a significant step forward, requiring the application of authentication credentials for scans with sufficient privileges to complete administrative level scans. This new requirement will provide a higher degree of insight into the entity’s vulnerability landscape but may also reveal a number of new issues that will require remediation to meet PCI requirements. |
| Scope Validation Must Be Completed Every Six Months | Service Provider Scope Validation must be completed every six months. |
| Clarification on the Applicability of Annex A.1 | All mention of shared-hosting providers has been updated to refer to multi-tenant service providers. This shift eliminates the ambiguity over whether the requirement was applicable to cloud services/hosting providers under PCI DSS v3.2.1. |
For Service Providers Only: Be Aware of the Following
There are also a number of new PCI DSS requirements specific to Service Providers. Below is a brief summary of the highest impact changes. Read our longer format article for more detailed information.
Roles and Responsibilities
Entities will be required to document the roles and responsibilities within the organization for performing the various activities defined within each PCI requirement.
New Requirements for Use of Cryptographic Hashing
Moving forward, entities employing hashes to render PAN unreadable will be required to utilize keyed cryptographic hashes to render any PAN unreadable. Key management processes must also be implemented to document and govern this process.
Encryption Requirements Beyond Full Disk Encryption
Requirement 3 includes new requirements for the use of cryptography to secure PAN, including the use of keyed cryptographic hash for rendering PAN unreadable, the use of additional methods alongside Full Disk Encryption (FDE), independent management of access to encrypted data and encryption keys, and the obligation to use FDE for removable media.
Ensuring Integrity of Payment Page Scripts
Publishers or SaaS payment solutions will soon be faced with the requirement to provide additional security and integrity safeguards for payment page scripts that are loaded and executed in the consumer’s browser. PCI states that the intent of the new requirement is not to require installation of additional software or browser plugins on the consumer’s browser.
MFA Is Required for All CDE Access
All interactions within the CDE will now require multi-factor authentication (MFA), which goes beyond the previous requirement for remote CDE access only. The new criteria for authentic MFA prohibits using a single factor twice as a valid MFA strategy.
Audit Log Reviews Must Be Automated
Automated log reviews will soon be required, replacing the need for manual daily reviews. This will encourage more organizations to use a centralized and automated logging solution.
Internal Vulnerability Scans Require Authenticated Scanning
Internal vulnerability scans now require authentication credentials with administrative-level privileges for a better understanding of vulnerabilities, but this may also reveal new issues that need to be fixed for PCI compliance.
Scope Validation Must Be Completed Every Six Months
Service Provider Scope Validation must be completed every six months.
Clarification on the Applicability of Annex A.1
All mention of shared-hosting providers has been updated to refer to multi-tenant service providers. This shift eliminates ambiguity over whether the requirement was applicable to cloud services/hosting providers under PCI DSS v3.2.1.
Take the next step.
Identifying all the ways PCI DSS v4.0 will impact your organization may require some time. For service providers, numerous substantial changes are anticipated, which could profoundly affect your organization. Fortunately, PCI has generously provided entities ample time to prepare for the complete enforcement of PCI DSS v4.0 by March 31, 2025.
Aprio’s Information Assurance Services team has diligently worked to ensure all our clients are prepared for this transition. We have seamlessly integrated a comprehensive gap assessment into all evaluations scheduled for 2023 and 2024. When you’re ready to take the next step, we can help you initiate the planning process for these impending changes without delay, particularly if you anticipate any of the new requirements entailing additional capital expenditures or personnel expenses.
As you prepare to adopt PCI DSS v4.0, Aprio has developed resource guides to help you operationalize PCI DSS v4.0 within your organization. To learn more, connect with our Information Assurance Services team today.