Understanding New PCI DSS 4.0 Requirements

July 25, 2024 | News

The Payment Card Industry Data Security Standard (PCI DSS) serves as a crucial framework for safeguarding cardholder data. Developed by major card brands like American Express, Discover, Mastercard, JCB, and Visa, it aims to reduce breaches and ensuing fraud. With the advent of PCI DSS 4.0, MRC and IXOPAY expert John Noltemeyer joined forces to present a webinar highlighting everything merchants need to know about the upcoming changes.

In this blog, we’ll provide key takeaways from the webinar, including an overview of PCI DSS 4.0, the transition timeline, and seven key new requirements that will impact most merchants.

PCI DSS: A Baseline for Data Security

PCI DSS is more than just about cardholder data; it extends to protecting any sensitive data within an organization. While initially focusing on cardholder account data, it now covers a broader range of sensitive information, including names and addresses. This standard applies to any entity involved in processing cardholder data, even if this processing is outsourced.

Transitioning to PCI DSS 4.0

The transition from version 3.2.1 to 4.0 is a pivotal phase. Version 4.0 is already available for assessment, alongside version 3.2.1, which remains in effect. However, by March 31st, 2024, version 3.2.1 will be officially retired, and only version 4.0 assessments will be conducted.

Key Changes in PCI DSS 4.0

Version 4.0 reflects evolving technology and emerging threats, particularly pertinent to e-commerce. Notably, cloud technology is referenced over 40 times, highlighting its prominence in today’s landscape. Moreover, version 4.0 emphasizes the need for flexibility in implementing security measures, allowing merchants to tailor solutions to their unique circumstances.

Seven Crucial New Requirements in PCI DSS 4.0

  • 3.3.2 – Encryption of Sensitive Authentication Data (SAD): All SAD, including CVV, must be encrypted, regardless of whether the primary account number (PAN) is present. This requirement ensures heightened security in handling authentication data.
  • 5.4.1 – Protection Against Phishing Attacks: Implement an automated phishing protection mechanism to reduce the risk of falling prey to phishing attempts. This measure fortifies defenses against social engineering threats, reducing potential vectors for malware and ransomware attacks.
  • 6.4.3 – Managing Payment Page Scripts: Merchants must maintain an inventory of all scripts on their e-commerce payment pages. This includes ensuring the integrity of each script to prevent unauthorized modifications and verifying their authorization and execution.
  • 8.3.6 – Password Length Requirement: Passwords for users and administrators accessing cardholder data must be a minimum of 12 characters. Encourage the use of passphrases for added security.
  • 11.3.1.2 – Authenticated Internal Vulnerability Scans: When conducting internal vulnerability scans, authentication should be employed. This enhances the accuracy and detail of vulnerability assessments, providing a comprehensive view of potential security risks.
  • 11.6.1 – Detect changes of HTTP headers & Payment Pages: A change and tamper detection mechanism must be implemented to ensure unauthorized modifications are quickly reported to security personnel in order to maintain security.
  • 12.5.2 – Verification of PCI Scope every 12 months: Merchants with cardholder data environments (CDEs) must periodically verify their PCI scope. This involves identifying data flows, documenting storage methods, encryption, and access controls, as well as assessing any changes that may impact security.

Preparation for PCI DSS 4.0 Compliance

  • Familiarize Yourself with Version 4.0: Understand the changes from 3.2.1 to version 4.0 thoroughly. Utilize resources provided by the PCI Security Standards Council for detailed insights.
  • Assess Impact on Your Organization: Evaluate how the new requirements will affect your existing information security program. Identify potential changes, and plan accordingly.
  • Consider Automation Solutions: Given the complexity of compliance, consider utilizing automated solutions for tracking scripts, ensuring payment page integrity, and managing vulnerability scans.
  • Stay Informed and Document Changes: Stay updated with PCI DSS developments and document any changes made in response to the new requirements. Consistent documentation is essential for demonstrating compliance.

With careful preparation and a clear understanding of the new requirements, merchants can navigate the transition to PCI DSS 4.0 smoothly, ensuring continued protection of cardholder data and compliance with industry standards.

Check out our PCI Compliance Checklist to help ensure you are ready for the changes.

If you missed the full webinar or would like to access the materials shared by the presenter, John Noltemeyer, you can access additional resources here or view the full webinar below.