Author: Tony McCutcheon – GRC Consultant
On the 31st of March 2022, global payment security forum, the PCI Security Standards Council, released PCI DSS v4.0. Following on from PCI DSS v3.2.1 which was released on 1st January 2019, v4.0 addresses emerging threats and technologies more efficiently and provides innovative ways to combat new threats.
Below, we will go through the main points you need to know for the implementation of PCI DSS v4.0.
Implementing PCI DSS 4.0
Both versions of PCI DSS are valid simultaneously until 31st March 2024, giving organisations time to implement the necessary changes. After this time, v3.2.1 will be retired and replaced by PCI DSS v4.0 . Until this date, companies can review the changes and implement the required actions to enable a smooth transition to v4.0.
There are 64 new requirements in PCI DSS v4.0, 13 of which will immediately take effect. The remaining 51 requirements are considered best practice until March 31st 2025, at which time they will become effective for all entities seeking PCI compliance. While the 51 requirements will not become a part of assessments until March 2025, we advise that organisations begin preparing for and implementing the required changes well before this date.
The below timeline of implementation is helpful in demonstrating this process.
Where have the changes indicated in PCI DSS v4.0 stemmed from?
Planning for PCI DSS v4.0 started in 2017 and involved over 200 companies providing feedback with over 6000 comments.
This comprehensive feedback resulted in identification of the following 4 main goals of the v4.0 release:
- Ensure the standard continues to meet the security needs of the payments industry
- Promote security as a continuous process
- Increase flexibility to allow entities to use different methods to achieve security objectives
- Enhance validation methods and procedures
What are the new requirements?
To assist in achieving these goals, PCI DSS v4.0 includes new or enhanced requirements relating to areas including:
- Multi-factor authentication
- Password management
- E-commerce and phishing
- Roles and responsibilities
- Implementation and maintenance guidance
- Reporting options, functionality and transparency
- Group, shared, and generic accounts
- Targeted risk analysis
- New customised approach option
- Reporting options, functionality and transparency
- Alignment of information within ROC, AOC and SAQ documents
PCI DSS v4.0 new approaches
Version 4.0 now includes an option of two approaches; “Defined” and “Customised” to implement and validate PCI DSS, which are summarized as follows:
Defined Approach: the traditional method used to implement and validate PCI DSS
- Follows current PCI DSS requirements and testing procedures
- Suitable for entities with security implementations that align with current requirements
- Provides direction on how to meet security objectives
Customised Approach: the new method, whereby entities can implement controls which do not follow the Defined requirement, whilst meeting objectives
- Focuses on the objective of each PCI DSS requirement
- Entity determines and implements controls to meet the objective
- Provides greater flexibility for entities using different ways to achieve a requirement’s security objective
- Suitable for entities with robust security processes and strong risk management practices
What to do now
While there are now a number of changes that organisations will need to begin implementing, the key message is not to panic as there is time to get familiar with PCI DSS 4.0. There’s no doubt that as we see these changes geared at a more continuous approach, there will be a requirement for network security and compliance teams to re-assess their evaluation process, however for the time being, the focus should be on working towards achieving a holistic security posture
Further PCI DSS v4.0 resources
In addition to the updated PCI DSS standard, supporting documents published in the PCI SSC Document Library include:
- PCI DSS Summary of Changes v3.2.1 to v4.0
- v4.0 Compliance Report (ROC) Template
- ROC Compliance Certifications (AOC), and ROC
- Frequently Asked Questions
Over the next few months, PCI will also be releasing additional documents (including Prioritized Approach Tools and Quick Reference Guides) and training materials and courses.
As a leading UK based cyber security provider with team members across the globe, Dionach are ideally placed to discuss how we can help you transition to PCI DSS v4.0. Get in touch to see how a member of our dedicated team can help.