On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) provided version 4.0 of the PCI DSS. The PCI DSS is a global standard that sets up technical and operational standards for safeguarding consumer credit card account data. Here is a brief update of the new version, what to expect, and key dates to plan for the transition.

 

PCI online purchase

 

 

WHAT IS NEW IN PCI DSS V4.0?

PCI DSS v4.0 takes the place of PCI DSS v3.2.1 to address advancing technologies and evolving threats. An example is that the 12 core PCI DSS prerequisites did not change with PCI DSS v4.0, and they continue to be the critical basis for protecting payment card data. Key Priorities for 4.0 were to increase security and flexibility. Overall, there are 64 new requirements. Of those 64,

     

      • 53 apply to all entities

      • 11 new requirements are for Service Providers only

      • 13 will be required immediately for any v4.0 assessments

      • 51 are future dated best practices until March 2025

     

    PCI requirement

     

     

    WHY THE NEW DEVELOPMENT?

    The PCI SSC states the goals of Payment Card Industry Security Standards Council v4.0:

       

        1. Continually meet the security needs of the payment industry

        1. Add flexibility and support of supplementary methodologies to attain security

        1. Promote security as an ongoing and evolving process

        1. Enhance validation procedures and methods

       

      PCI deadline

       

       

      WHAT ARE THE KEY DATES WE SHOULD KNOW?

         

          • PCI DSS v4.0 Release: March 31, 2022

          • PCI DSS v4.0 Training – QSA and SAQ release: End of Q2 2022

          • PCI DSS v3.2.1 Expires: March 2024

          • PCI DSS v4.0 Best Practices become Full Requirements: March 2025

        When it comes to transformation to the new version, PCI DSS v3.2.1 will continue to be active for two years after v4.0, says PCI SSC. This transition period, which ends on March 31, 2024, allows organizations to acquaint themselves with the changes, refurbish their reporting templates and forms, and strategy for and carry out changes to meet updated prerequisites. At that time, PCI DSS v3.2.1 will become obsolete, and v4.0 will become the only version of the standard.

        Because of the intricacy of the new requirements and the time needed to execute structural changes, companies should start to address and internally validate controls in advance of an evaluation by their qualified security assessor (QSA). As a best practice, organizations should engage a full team to assess the impact of the new standard to the business. This would include executives, legal counsel, IT, and all who manage credit card data in the company in order to get a full perspective of risks and exposure as well as encouraging open communication throughout the process.

        The risen focus on risk evaluations in PCI DSS v4.0 means that bodies report more information about their security strategies to a QSA than under version 3.2.1. Thus, risk assessments and documentation on safeguards will be key under v4.0.

        Review your existing PCI compliance and risk profile to best prepare for your PCI DSS v4.0 transition.

         

        PCI WEBINAR SERIES

        Preparing for Your Transition to PCI DSS v4.0 Webinar

        In our 5-part PCI Webinar Series, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.

        Join Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.

        SOURCES

           

           

           

          PCI DSS Requirements

          PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

          Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

          Unpacking the New PCI DSS Password Standards

          Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

          What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

          What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

          PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

          The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

          How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

          Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

          How to Analyze An Attestation of Compliance (AOC)

           

          INFORMATION SECURITY PRIMERS

          Managing IoT Risk: A Primer

          Primer on Post-Quantum Cryptography (PQC)

          Primer on Cloud Security

          A Primer for AI Legislation and Litigation: Trends and Resources

          A Primer to Frictionless Authentication

          A Primer to Russian Intelligence “Snake” Malware

          A Primer to Security Access Service Edge (SASE)

          A Primer to Digital Risk Protection Services (DRPS)

          A Primer to Containerization

          A Primer to Cloud Access Security Brokers (CASB)

          A Primer to Zero Trust Security

          A Primer to Deception Technology

          Managing AI Risks in Organizational Adoption and Usage

          What are DeepFakes?