find your solution.
search for solutions by category, industries, insights, and people.
search for solutions by category, industries, insights, and people.
search for solutions by category, industries, insights, and people.
by Jim Buda
The highly anticipated Payment Card Industry (PCI) Data Security Standard (DSS) v4.0 is now live and required for all PCI DSS assessments moving forward. This revamped, industry-agnostic standard will require organizations performing PCI compliance to re-evaluate their current environment and controls to address the major changes reflected in the standard. This update is intended to help companies address the rapidly evolving security landscape, whether that be changes in technologies or the techniques used by bad actors to compromise organizations' security controls to capture cardholder data.
The new standard introduces many new requirements, with two implementation dates to allow organizations time to properly implement controls. Additionally, this standard allows for more flexible approaches to how the requirements have traditionally been addressed. The introduction of PCI’s Targeted Risk Analysis (TRA) might be needed for many organizations, depending on their PCI scope. Organizations should ensure they understand what this is and how it could affect their PCI compliance. It is strongly recommended to work with a Qualified Security Assessor Organization (QSAC) or their internal security assessors to evaluate the current environment against the new requirements.
PCI DSS v4.0 was released in early 2022. Two years later, PCI DSS v3.2.1 was retired, and all assessments must now adhere to PCI DSS v4.0. Implementation occurs in two waves. The first wave, required for the initial v4.0 assessment, mandates more administrative-type controls to be in place for PCI. By March 31, 2025, the additional technical requirements must be implemented, such as the introduction of new solutions and tools.
The latest version of PCI DSS introduces several changes. In the first wave, a significant change in 11 of the 12 requirements, is the formal documentation of PCI-related responsibilities. There are a couple of different approaches that can be utilized to address this item. Organizations can either update current policies and procedures or create a new policy that clearly identifies the person or role responsible for each PCI requirement. In either situation, personnel involved in your organization’s PCI compliance should acknowledge their responsibilities.
Another immediate change is requiring organizations to document their PCI scope and ensure it is appropriate. While often informally required by assessors, the Security Standards Council (SSC) has now made this an official requirement. The scoping document must also be reviewed annually or after any major change to an organization’s environment.
There are multiple new requirements that must be addressed after March 31, 2025. The below is not an exhaustive list but is intended to highlight some of the more time- and resource-intensive requirements. These include:
● 5.4.1: Implementing solutions to detect and protect personnel against phishing attacks.
● 6.4.2: Utilizing an automated technical solution(s) for public-facing web applications to detect and prevent web-based attacks.
● 8.4.2: All access into an organization’s CDE must utilize multi-factor authentication and these multi-factor authentication systems will be reviewed during a PCI assessment for proper implementation.
● 11.3.1.2: Internal vulnerability scans must be performed via an authenticated scan for deeper insights into the systems security posture.
● 12.6.3.1: Security awareness training must include awareness of common threat vectors, such as phishing and social engineering.
The new standard introduces a “Customized Approach” for meeting the DSS requirements. Some requirements include a statement of their security intent. An alternative approach can be utilized to address the intent, given the correct supporting documentation is included. The organization’s controls must meet or exceed the original requirement’s security threshold. It is suggested that companies work with assessors to identify and properly document those requirements which will utilize the customized approach.
PCI DSS v4.0 also introduces the Targeted Risk Analysis (TRA). Organizations must complete a TRA for certain requirements or when using the customized approach for a specific requirement. The PCI SSC provides a TRA template that clearly outlines how to document the reasoning and supporting information for such instances. A TRA is necessary, for example, if an organization decides not to use an anti-malware solution on a Linux host, a type of host that is often referred to as low risk for malware. Each individual TRA must be reviewed and approved by senior management annually.
In summary, PCI DSS v4.0 brings significant changes to the compliance landscape, requiring organizations to re-evaluate their environments and controls. With the phased implementation and the introduction of flexible approaches like the Customized Approach and TRA, organizations should work closely with assessors to ensure they meet the new requirements. Proper understanding and timely implementation of these changes will be critical to maintaining PCI compliance.
Sources
Implementation Timeline Screenshot: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4-0-At-A-Glance.pdf
PCI DSS v4.0:
https://www.pcisecuritystandards.org/document_library/?category=pcidss
Targeted Risk Analysis Information:
https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-x-targeted-risk-analysis-guidance
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
