Written by Gary Watts and Allen Baranov, Governance, Risk and Compliance 29 February 2024
On Sunday, 31 March 2024, version 3.2.1 (v3.2.1) of the Payment Card Industry Data Security Standard (PCI DSS) will be retired. This means that organisations involved in payment security will be required to transition to the new PCI DSS version 4.0 (v4.0).
PCI DSS is the global data security standard adopted by the payment card brands for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing —including merchants, processors, acquirers, issuers, and other service providers.[1] Any organisation that takes payment using credit or debit cards must comply with the standard. There is more focus on organisations that process larger numbers of transactions because of the inherent extra risk, but all organisations are required to meet the requirements.
Version 4.0 of the standard marks a significant departure from its predecessor, with a primary focus on addressing the evolving threats and needs of the payments industry. With an increased focus on risk management, flexible control implementation, assessment and reporting, PCI DSS v4.0 presents both opportunities and challenges for organisations.
Understanding the implications of PCI DSS v4.0 for your organisation will allow you to start planning and prioritising the effort and resources to ensure a smooth and efficient transition.
What Is Changing?
As part of the PCI DSS 3-year lifecycle, the standard has been updated to address the evolving needs of the payment industry. The PCI Security Standards Council (SSC) summarised its goals for PCI DSS v4.0 as follows:
- Ensure the standard continues to meet the security needs of the payments industry including the ability address emerging and changing threats and controls.
- Add flexibility and support additional methodologies to achieve security.
- Promote security as a continuous process.
- Enhance validation methods and procedures.
Additional Guidance
While PCI DSS v3.2.1 included multiple sections providing guidance on the applicability of the standard and assessment procedures, the new standard has significantly increased the amount of guidance for entities and assessors. Notable inclusions are:
- Significantly expanded scoping guidance relating to Third-Party Service Providers (TPSPs).
- Clarification of timeframes used in the standard.
- Additional guidance on the use of sampling.
- Discussion of the approaches for implementing and validating PCI DSS.
- Guidance for protection of an entity’s information as part of an assessment.
Approaches for Achieving and Reporting Compliance
PCI DSS v4.0 provides flexibility in how the security objectives are met by introducing two approaches for implementing and validating the requirements of the standard. Organisations may continue to use the familiar Defined Approach where requirements are met as stated in the standard. This is the approach that all previous versions of PCI DSS have included – defining exactly what outcome is expected and testing against it.
Alternatively, a Customised Approach may be used where controls are implemented to meet a requirement’s stated objective in a way that does not strictly follow the Defined Approach. This is a slightly more complex method in which the organisation defines their own way of meeting the required outcome and is then required to show how their approach meets the objectives of each control.
Organisations should identify the approach best suited to their security control implementation and maturity of the organisation’s risk management processes noting that the documentation and effort required to validate customised implementations will typically be greater than using a Defined Approach. Organisations are permitted to use a mix of the Defined Approach and Customised Approach.
New PCI DSS Requirements
PCI DSS v4.0 retains the 12 principal DSS requirements providing familiarity and consistency in the security objectives of the standard. However, it introduces 64 new (sub-)requirements organisations need to comply with depending upon their environments. The new requirements are aimed at strengthening existing control implementations and addressing evolving threats. Key areas and controls include:
- Documentation of PCI scope and technologies in use by the organisation including cipher suites.
- Definition of roles and responsibilities for implementation of controls for each of the 12 requirements.
- Strengthening of encryption requirements for stored cardholder data and sensitive authentication data (pre-authorisation).
- Protection of certificates and keys used for protection of cardholder data during transmission over open public networks.
- Detection and protection of personnel against phishing attacks.
- Implementation of automated solutions for public facing websites and pages to detect and prevent attacks.
- Implementation of change and tamper detection for website pages and scripts.
- Strengthening of remote and privileged access management processes including bi-annual access reviews.
- Strengthening of authentication solutions and use of MFA for access.
- Automation of log review processes and monitoring of critical security controls.
- Conducting internal vulnerability scans via authenticated scanning.
- Conducting targeted risk assessments to define the frequency for periodic requirements.
While many of the new requirements are best practice until 31 March 2025, several of the requirements may require significant changes to business operations requiring additional resources to plan, implement and maintain.
Summary
Some key points to consider when transitioning to PCI DSS v4.0.
- The 12 principal PCI DSS requirement areas remain the same.
- PCI DSS v3.2.1 will be retired on 31 March 2024.
- Enhanced risk management, Governance and oversight are expected from entities.
- Introduction of 64 new requirements – 13 requirements are effective immediately and 51 requirements to be complied with from 01 April 2025.
- Introduction of the Customised Approach – Flexibility in meeting individual security objectives.
- Requirement for entities to clearly assign roles and responsibilities for each PCI DSS requirement.
- Significant additional guidance on implementing and assessing PCI DSS is included in the standard.
For additional information, join CyberCX’s PCI DSS v4.0 webinar on the 21st March or talk to one of our Qualified Security Assessors (QSAs).
[1] PCI Applicability Information in the PCI DSS v4.0. (https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf)
