Article
PodcastPCI DSS 4.0 is Here: 15 Changes to Get a Head Start on New Requirements
The Payment Card Industry’s (PCI) Data Security Standard (DSS) 4.0 has been published on the Security Standards Council website. For many, the update could not have come soon enough. Over the last several years, merchants, service providers, and assessors alike have faced increasing challenges in applying the DSS requirements to modern infrastructure and cloud deployments.
With almost 200 unique updates to PCI DSS 4.0, those in the payment industry will have greater flexibility to implement these requirements in an ever-changing technology landscape.
The DSS is being positioned to be embedded into business-as-usual activities to ensure compliance requirements don’t fall through the cracks as business priorities and focus areas shift.
In the council’s Summary of Changes from PCI DSS Version 3.2.1 to 4.0, each change is categorized as follows:
- Evolving Requirement – A change was made to the requirement to account for emerging risks and technologies.
- Clarification or Guidance – Additional guidance or word choice adjustments were made to provide further clarity on the intent of the requirement.
- Structure or Format – The requirement was combined, separated, or renumbered to align.
Assessments must be performed against the DSS 4.0 for all Attestations of Compliance (AOCs) issued after March 31, 2024. Merchants and/or service providers will need to take action on 92 of the requirements. Of these, 38 must be implemented immediately for PCI DSS 4.0 assessments. The remaining 54 must be implemented by March 31, 2025.
We recommend organizations get started on the following action items sooner rather than later:
| Requirement # | Action Item | Effective Date |
|---|---|---|
| X.1.2 | Develop a matrix, such as a RACI chart, that formalizes roles and responsibilities for applicable PCI DSS 4.0 requirements. | April 1, 2024 |
| 3.5.1.2 | For non-removable media where disk encryption has previously been used to protect cardholder data at rest, implement another mechanism that meets Requirement 3.5.1. Disk encryption is only considered acceptable on removable media. Acceptable methods could include one-way hashing, truncation, index tokens, or column/database/file level encryption. | April 1, 2025 |
| 6.2.2 | Update secure development training to cover the specific development languages used for the in-scope environment. If security testing tools are used in the development pipeline, developers should also be trained on how to use them. | April 1, 2024 |
| 6.3.2 | Create and maintain an inventory of all bespoke and custom software*, including associated third-party software incorporated as components in the scope of a PCI DSS assessment. | April 1, 2025 |
| 6.4.2 | Implement an automated technical solution to detect and prevent web based attacks, such as a web-application firewall. Manual public-facing web application vulnerability security assessments are no longer permitted. | April 1, 2025 |
| 6.4.3 | Create and maintain an inventory of all scripts used on a payment page that are loaded and executed in the consumer’s browser, including a justification and approval for each script. Additionally, a technical method, such as Subresource Integrity (SRI) checks, for validating the integrity of the script prior to executing them in the consumer’s browser is to be implemented. | April 1, 2025 |
| 7.2.4 | A user access review of all systems, databases, applications, and third party cloud services within the scope of the assessment is to be performed every 6 months. | April 1, 2025 |
| 12.3.1 | Develop targeted risk assessment programs for the purposes of identifying the frequency with which requirements 5.2.3.1, 7.2.5.1, 8.6.3, 9.5.1.2.1, 10.4.2.1, 11.3.1.1, 11.6.1, and 12.10.4.1 must be achieved. | April 1, 2025 |
| 8.4.2 | Implement multi-factor authentication for all access into the CDE, regardless of access method. | April 1, 2025 |
| 8.5.1 | Configure or implement multi-factor authentication solutions in a manner that prevents replay attacks. For example, one-time password tokens (OTP). | April 1, 2025 |
| 8.6.2 | Passwords used for application or system accounts should not be hard coded into scripts, configuration files, or custom code. | April 1, 2025 |
| 10.7.2 | In addition to service providers, Merchants are now also required to implement processes for the timely detection and response to failures in critical security control systems. | April 1, 2025 |
| 11.3.1.2 | Perform quarterly internal vulnerability scans via authenticated means. | April 1, 2025 |
| 11.6.1 | Implement an automated or manual process to alert on unauthorized changes to HTTP headers and the contents of payment pages as received by the consumer browser. | April 1, 2025 |
| Appendix A | Appendix A has been reclassified as applying to shared-hosting providers to multi-tenant service providers**. Multi-tenant service providers should re-evaluate the applicability of Appendix A and implement the requirements accordingly. | April 1, 2024 |
* Bespoke is defined as software developed for the entity by a third party on the entity’s behalf and per the entity’s specifications. Custom software is defined as software developed by the entity for its own use.
** Multi-tenant service providers are defined as a type of Third-Party Service Provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases. Services may include, but are not limited to, hosting multiple entities on a single shared server, providing ecommerce and/or “shopping cart” services, web-based hosting services, payment applications, various cloud applications and services, and connections to payment gateways and processors.
By getting a head start on these requirements as well as other changes described in the new standard, organizations will be in a better position for the required transition to PCI DSS 4.0 for all AOCs rendered after March 31, 2024.
As your organization is navigating this transition, we can help you identify the practical approach. From our broad experience with Fortune 50 cloud providers to small e-commerce merchants, Weaver has the technical and business expertise to help your organization on its path to DSS 4.0. Contact us for assistance.
© 2022