PCI 4.0 is Now Available: Here's What You Need to Know

The Payment Card Industry Data Security Standard (PCI DSS) has undergone significant changes in version 4.0, introducing enhanced requirements to bolster the security of cardholder data and payment transactions. This blog post provides an overview of the key modifications across different sections of the standard, along with important timelines for compliance with these new changes.

Compliance Timelines

PCI v4.0 is now available, but organizations have time to adjust to the new requirements. The implementation timeline aims to provide ample time for compliance:

‍2023

• PCI v4.0 goes into effect, and organizations can begin preparations for compliance.

March 31, 2024

• PCI DSS version 3.2.1 is officially retired.
• Any Report on Compliance (RoC) and Attestation of Compliance (AoC) completed prior to this date using the v3.2.1 version is still valid until its compliance period expires.
• All new RoCs and AoCs must be completed using the v4.0 standard. 
• All v4.0 effective immediately requirements must be in place. 

March 31, 2025

• PCI DSS version 3.2.1 is no longer valid. 
• Organizations must complete a RoC and AoC using the v4.0 standard. 
• All future dated requirements must be in place.

These timelines are designed to allow organizations the necessary time to implement the changes effectively and ensure a smoother transition to the updated standard.

What’s New in PCI v4.0

1. Firewall Management: The update combines firewall and router controls into the "Network Security Controls" category, which now covers a broader range of technologies including URL filtering, dynamic threat assessment, and geolocation data.
2. System Hardening: No new requirements have been introduced in this section.
3. Cardholder Storage: v4.0 mandates future-dated changes such as encrypting electronically stored data, using cryptographic keyed hashes for hashing PAN data, and employing encryption at both disk/partition and data container levels.
4. Encrypted Transmissions: New requirements include using valid certificates for TLS/HTTPS encryption, inventorying trusted keys and certificates, and addressing open network transmission security.
5. Antivirus Management: Future changes emphasize risk analysis for periodic evaluations, covering removable media in anti-malware solutions, and implementing technical measures against phishing attacks.
6. Security Management: A range of future-dated updates involve inventorying custom software, mandatory web application firewall (WAF) protection for public-facing servers, and validation of payment page scripts.
7. Access Controls: The upcoming requirements call for periodic reviews of user and system accounts, ensuring appropriate access privileges.
8. Authentication Controls: Changes involve increased password lengths, shared authentication credentials only on an exceptional basis, and the option for dynamic access determination based on security posture analysis.
9. Physical Security: Future updates include periodic inspections of POI (Point of Interaction) devices based on risk analysis.
10. Logging and Monitoring: v4.0 emphasizes automated mechanisms for audit log reviews, critical security control system monitoring, and addressing failures promptly.
11. Vulnerability Management: Changes encompass internal authenticated scans, support for external penetration testing by multi-tenant service providers, and mechanisms to detect unauthorized modifications to payment pages.
12. Policy Management: A range of new requirements entail targeted risk analyses, formal acknowledgment of responsibilities, and periodic reviews of cryptographic cipher suites, hardware, and software technologies.

A significant change has been introduced in PCI v4.0 regarding roles and responsibilities within each section. Unlike the previous version which focused on documenting security policies and operational procedures, the new version mandates that roles and responsibilities must be explicitly identified and assigned to individuals. This ensures that not only the policies and procedures are documented and known, but also that the specific people responsible for executing the activities within each section are clearly designated, leading to a better understanding and accountability across the organization.

These changes underscore PCI DSS's continued commitment to enhancing data security and protection. Organizations processing payment card data will need to adapt to these new requirements to ensure compliance with the updated standard and maintain the security of their cardholder data environments.

How Should You Prepare?

Organizations required to comply with PCI should start preparing for PCI v4.0 now. The new standard introduces many complex requirements that will require significant resources to implement. By starting early, organizations can maximize the time they have to make the necessary changes and avoid incurring last-minute costs.

NetWorks Group recommends conducting a gap assessment to identify where your organization currently complies with v4.0 requirements and where additional steps are needed. A gap assessment is a structured way to identify the gaps between your current security posture and the requirements of v4.0. This information can then be used to develop an action plan for remediation.

NetWorks Group offers a PCI v4.0 Gap Assessment service to help you focus, prioritize, and roadmap your remediation efforts. Our gap assessment will provide you with a clear understanding of your compliance status and a roadmap for bringing your organization into compliance by the deadlines. We can also help you complete the Attestation of Compliance (AoC) or Report on Compliance (RoC) utilizing the v4.0 standard.

As a Qualified Security Assessor Company (QSAC) with over 15 years of experience, NetWorks Group understands that complying with PCI can be daunting. We work with you to determine how PCI compliance applies to your unique business and security strategy and help you intelligently limit your PCI scope where appropriate, reducing cost while ensuring your compliance. Our team combines knowledge of the PCI standard, the security that the standard is trying to achieve, and the related technology domains to deliver tailored recommendations specific to your organization. As security experts, we can also ensure that while you’re becoming compliant, you’re also practically improving your organization’s security effectiveness.

Have a discussion with us to determine if a PCI v4.0 Gap Assessment is right for you.

Learn More about NetWorks Group's PCI Services

###

Published By: Geoff Thornton, Senior Information Security Assessor
‍

Publish Date: September 13, 2023