PCI DSS v4.0: Everything You Need To Prepare for the March 2024 DeadlineThe first implementation deadline for compliance with new PCI DSS v4.0 requirements is March 31, 2024. Keep reading to help your team maintain PCI compliance.
by Elliot Volkman
In March 2022, PCI DSS 4.0 was released, but the time to transition away from PCI DSS 3.2.1 is looming. As part of the transition, the PCI Security Standards Council has created a phased approach where organizations must align with immediate requirements by March 31, 2024, However, additional items listed as best practices won’t need to be validated until March 31, 2025.
Here’s everything you need to prepare for by the March 31, 2024, deadline, when PCI 3.2.1 will officially be retired.
PCI DSS 4.0 was released in March 2022 to address evolving threats and technologies in the payment industry.
The transition period from PCI DSS 3.2.1 to 4.0 ends on March 31, 2024.
PCI DSS 4.0 introduces a phased approach, with immediate requirements to be implemented by March 31, 2024, and additional best practices by March 31, 2025.
The core goals of PCI DSS 4.0 include meeting the security needs of the payment industry, promoting continuous security processes, enhancing validation methods and procedures, and adding flexibility to security approaches.
Key changes in PCI DSS 4.0 include a customized approach to implementation and validation, stronger authentication measures, and updates to encryption, access privileges, and vulnerability management.
Immediate effective changes include encrypting or protecting stored sensitive data, implementing multi-factor authentication, and reviewing access privileges.
The Why Behind PCI Security Standards Council’s Shift to PCI DSS 4.0
Before we get into the specifics of what has changed, it’s helpful to understand the why behind it.
The primary purpose behind the PCI DSS 4.0 update is to address evolving threats and technology in the payment industry. As the payment landscape continues to change, it is crucial for security practices to adapt and strengthen to protect payment data effectively.
Like many other regulations and frameworks, this was considered a necessary update to ensure that the standard continues to meet the security needs of the industry and promote continuous security processes.
PCI DSS 4.0 also enhances the validation methods and procedures while adding flexibility and support for alternative approaches to security. We have seen similar shifts in other standards, such as the recent ISO 27001:2022 update.
The changes introduced in PCI DSS 4.0 include a customized approach to implementing and validating the standard and updating specific requirements such as encryption, access privileges, and vulnerability management. This approach accommodates innovative technology and security practices while ensuring that the intent of the requirements is met.
Additionally, PCI DSS 4.0 introduces stronger authentication measures to bolster security. This includes the implementation of multi-factor authentication and stronger password requirements to protect against unauthorized access and data breaches.
The updated standard also includes updates to specific requirements such as encryption, access privileges, and vulnerability management to align with the latest security practices and technologies.
The transition period from PCI DSS 3.2.1 to 4.0 was designed to provide organizations with time to become familiar with the changes in version 4.0, update their reporting templates and forms, and plan for and implement changes to meet the updated requirements. However, only a few months remain in the transition period, and PCI DSS 3.2.1 will only remain active until March 31, 2024, after which it will be retired and PCI DSS 4.0.
Organizations will also have until March 31, 2025, to phase in all new requirements that are identified as best practices in version 4.0. Before this date, organizations are not required to validate these new requirements, but after March 31, 2025, they must be fully considered as part of a PCI DSS assessment.
March 2024 Deadline Requirements for Organizations
Of note, there are already immediate effective changes organizations must adopt as part of the update to PCI DSS 4.0. The other remaining changes are considered best practices until March 2025.
The following are required, must be validated, and will be part of the assessments starting in April of 2024:
Encrypting or protecting all stored sensitive authentication data.
Preventing the copy and relocation of PAN data for merchants using remote access technology.
Implementing automatic processes and systems to detect and protect personnel against phishing attacks.
Having a web application firewall in place for any web applications exposed to the internet.
Keeping an inventory of all known scripts used on web pages to mitigate malicious scripts.
Documenting, tracking, and inventorying all SSL and TLS certificates in use across public domains to strengthen their validity.
Reviewing access privileges at least twice per year.
Implementing multi-factor authentication (MFA) for all accounts with access to cardholder data.
Changing all passwords for payment applications and systems at least once a year or in case of suspicious activity or potential breaches.
Ensuring passwords are strong, unique, and include at least 15 numeric and alphabetical characters.
Using vendor and third-party accounts only when needed and continuously monitoring them for vulnerabilities and security risks.
The Most Significant Changes Between PCI DSS 3.2.1 and PCI 4.0
There are several themes and objectives associated with the updated PCI DSS standard:
Meeting the Security Needs of the Payment Industry
PCI DSS 4.0 aims to ensure that the security practices and requirements align with the evolving threats and challenges the payment industry faces. This includes addressing emerging security concerns such as e-commerce and phishing threats and expanding requirements for multi-factor authentication and stronger password policies.
Flexibility and Support for Custom Approaches to Security
Every organization treats security differently, even within the scope of those building upon baselines, such as the NIST CSF. As companies scale and mature, so do their unique needs to protect their data, assets, and people.
PCI DSS 4.0 recognizes that organizations may employ different methods to achieve security objectives. It introduces a customized approach to implementing and validating PCI DSS requirements, allowing organizations to demonstrate compliance using alternative methods while still meeting the security objectives.
This will enable organizations to choose customized controls that meet the security objectives of each requirement, providing more flexibility in achieving compliance. Assessors will validate the effectiveness of these customized controls through documentation review and risk analysis.
Implementing New Controls and Updating Policies
Organizations will need to implement new controls and update their existing policies to align with the requirements of PCI DSS 4.0. This may involve making changes to their security infrastructure, systems, and processes to ensure compliance with the new version.
Continuous Security Processes and Visibility
PCI Version 4.0 emphasizes the importance of maintaining security as an ongoing and continuous process. It encourages organizations to establish clearly assigned roles and responsibilities for each requirement, enhancing the understanding and implementation of security measures. This helps ensure that security practices are consistently maintained and updated to protect payment data.
Organizations are required to review access privileges at least twice per year and implement automated processes and systems to detect and protect against phishing attacks. Additionally, they must have a web application firewall for any web applications exposed to the internet.
PCI DSS 4.0 includes updates to specific requirements, such as encryption, access privileges, and vulnerability management. Organizations must encrypt or protect all stored sensitive authentication data and prevent the copy and relocation of PAN data when using remote access technology.
Disk-level encryption for non-removable media is no longer allowed, and organizations must use a keyed cryptographic hash method for protecting card data.
Enhanced Authentication Measures
To strengthen authentication practices, PCI DSS 4.0 includes updated requirements for multi-factor authentication (MFA) and stronger password policies.
Organizations must implement MFA for all accounts with access to cardholder data. Passwords must be changed annually or in case of suspicious activity, and they must be strong, unique, and meet specific complexity requirements.
Collaboration With Auditors
Organizations will need to collaborate closely with auditors to ensure compliance with PCI DSS 4.0. This includes engaging auditors in the design and implementation of projects, as well as planning for compliance with the new version. Regular communication and coordination with auditors will be essential throughout the process.
Improved Validation Methods
PCI DSS 4.0 enhances validation methods and procedures to support transparency and granularity. There is increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance. These improvements provide clearer validation and reporting options.
For a comprehensive view of the changes from PCI DSS v3.2.1 to v4.0, refer to the Summary of Changes document available in the PCI SSC Document Library.
The transition from PCI DSS 3.2.1 to 4.0 brings significant changes that impact organizations. PCI DSS 4.0 introduces a phased approach, with immediate requirements that must be implemented by March 31, 2024, and additional best practices to be validated by March 31, 2025. The updated standard aims to address evolving threats and technology in the payment industry while promoting continuous security processes.
Key changes include a customized approach to implementation and validation, stronger authentication measures, and updates to encryption, access privileges, and vulnerability management. Organizations must encrypt stored sensitive data, implement multi-factor authentication, review access privileges, and more. Organizations must understand and implement these changes to ensure compliance with PCI DSS 4.0 and protect payment data effectively.
Enhance Your Compliance Posture With Continuous Security Processes and Visibility
GRC and compliance frameworks have historically been treated as documentation that is locked to a point in time. However, as standards and policy creators reassess the current security landscape, they have time and time again emphasized the importance of continuous visibility and processes to provide more direct value out of effort organizations are required to follow.
Drata can scale and enhance your current GRC processes through automation that ensures you exceed the new continuous visibility requirements in standards like PCI DSS 4.0 and ISO 27001:2022, and that you are always on top of the ever-changing compliance landscape. Chat with our team to learn how.