Blog  PCI DSS Latest Changes

The Payment Card Industry Data Security Standard (PCI DSS) sets specific practices and requirements designed to protect cardholder data, help organizations maintain secure systems, minimize the risk of fraud, and foster trust among businesses and customers.

While PCI DSS is not a government-mandated regulation, companies that accept or process payment card information must still comply with the payment security framework or face hefty fines and other serious repercussions.

Introduced in 2004, PCI DSS has undergone several iterations and remains the industry benchmark for good payment card practices. The latest version (v4.0) was released in 2022 and includes changes designed to update the standard’s relevance, address emerging threats, and provide organizations with more flexibility in how they can meet the requirements.

PCI DSS v4.0 will take effect on March 31, 2024. At that point, all covered organizations will have only a one-year transition period to get their systems fully compliant by March 2025.

If you think the grace period gives enough compliance legroom to meet all the new requirements, think again. The new changes in Version 4.0 are significant, representing a step change in your overall approach to data security. Note also that some new requirements take effect immediately for organizations undergoing a PCI DSS assessment, even during the transition period.

Starting early and getting expert advice from accredited PCI DSS professionals (Qualified Security Assessors or QSAs) will remove all the guesswork, ensure timely compliance, and prime your business for the emerging payment card landscape.

Call a PCI DSS expert for a free consultation

What’s New in PCI DSS v4.0?

There are three types of changes made to the payment card standard: 

1. Evolving Requirements: These are requirements updated in response to new threats and technologies.  
2. Clarification or Guidance: These are changes that clarify a specific issue or provide guidance on how best to comply with a requirement. 
3. Structure or Format Changes: These are changes that improve the coherence, organization, and readability of the PCI DSS documentation. 

While the 12 core PCI DSS requirements remain essentially the same, several new requirements that address evolving risks and reinforce ongoing security will be implemented soon. In total, there are 64 new requirements listed in the PCI DSS Summary of Changes document. Of these requirements, 53 are applicable to all categories of covered entities, while 11 apply only to service providers. In terms of implementation, 13 new requirements (including those for documenting the roles and responsibilities relevant to each key requirement) will take effect immediately for all v4.0 assessments while 51 will take effect on March 31, 2025. 

Here are some of the new requirements:  

1. Any sensitive authentication data (SAD) stored prior to completion of authorization should be kept to a minimum using appropriate data retention and disposal policies, procedures, and processes. 
2. Any SAD stored electronically before completion of authorization should be encrypted using strong cryptography (all entities). SAD stored by issuers should be encrypted using strong cryptography (service providers).  
3. All covered entities should implement technical controls to prevent the copying and/or relocation of primary account numbers (PAN) when using remote-access technologies except with explicit authorization. 
4. Anti-malware scans should be performed whenever removable electronic media is in use.  
5. All entities should implement mechanisms to detect phishing attacks and protect personnel from cyber threats. 
6. An inventory of bespoke and custom software should be maintained to facilitate vulnerability and patch management. 
7. Covered entities should implement an automated technical solution for public-facing web applications to detect and prevent web-based attacks continually. 
8. Payment page scripts that are loaded and executed in the consumer’s browser should be appropriately managed. 
9. Multifactor authentication (MFA) should be implemented for all access into the cardholder data environment (CDE).  
10. Internal vulnerability scans should be performed via authenticated scanning. 
11.  A change-and-tamper-detection mechanism should be deployed for payment pages. 
12. Security awareness training should cover threats that could impact the security of the CDE and must include modules on phishing, social engineering, and related attacks. 

These are just some of the new requirements your company should start implementing as the effective date of PCI DSS v4.0 draws near.  

Implications for organizations 

The new changes in the PCI standard reflect evolving payment environments, threats, technologies, and methods for mitigating risk. These changes impact organizations in many ways, with some changes granting a significant uplift in capabilities while others pose additional compliance challenges. 

First, the framework’s documentation has been improved in terms of its clarity, coherence, organization, and readability. Second, advances in information technology and threat mitigation techniques help drive new and better ways of safeguarding cardholder data and securing networks. Third, the new option for a customized validation approach provides organizations with more flexibility in how they can comply with PCI DSS. This specifically benefits covered entities with mature security systems.    

In tandem with the foregoing advantages, the latest version of PCI SDSS also poses significant challenges. For one thing, the new requirements will likely increase compliance costs as covered entities would need to make additional investments in the required security controls such as vulnerability scanning, staff training, stronger access management systems, and incident response.  

All covered entities have until March 31, 2024, to comply with the latest standard version.  

Compliance with PCI DSS v4.0 

Organizations can achieve compliance by assessing their current security posture, implementing the required security controls, and undergoing a formal assessment by a qualified security assessor (QSA). 

Of course, that is easier said than done. PCI DSS compliance is an ongoing journey, not a final destination. Depending on your organizational category, you need to cycle through the standard process every year or two to acquire an attestation of compliance (AOC). 

Here are some best practices on how to achieve and sustain compliance with PCI DSS: 

1. Maintain an inventory of all your systems and applications that handle cardholder data. 
2. Document and update your policies and procedures to align with the latest changes in PCI DSS.  
3. Assess your current security posture. Identify areas where you may be vulnerable or exposed to significant risk.  
4. Implement security controls. Mitigate risk by addressing the weaknesses you have identified. These risk-mitigating controls include the efficient use of multifactor authentication, regular and prompt software updates, strong data encryption, robust network security systems, and an adequate incident response plan.   
5. Upgrade your IT security awareness training for staff.  
6. Protect and monitor all your systems using solutions such as firewalls, intrusion detection systems, anti-malware services, threat intelligence feeds, and vulnerability scanning.  
7. Stay up to date. The PCI DSS framework is designed to evolve with the changing payment landscape. Regularly visit the PCI SSC (Payment Card Industry Security Standards Council) website and subscribe to their newsletter to remain updated about topics that affect your organization.  
8. Get help from PCI DSS experts. Partnering with a trusted managed compliance provider gives you access to experienced QSAs who can help you identify gaps in your security layer, close those gaps, and issue a formal attestation of compliance (AOC).     

Conclusion

The changes introduced in PCI DSS v4.0 help organizations adapt to the evolving payment ecosystem and address the weaknesses that can be exploited to undermine its security. While the core requirements remain fundamentally intact, the new version of the standard introduces 64 new requirements.  

Getting expert advice from a PCI DSS specialist can save you time and money in building your roadmap towards full compliance well before the new requirements take effect in March 2024. Remember, the sooner you achieve compliance, the less stress you will have as that eventful date draws near.