PCI DSS 4.0: New Requirements

Payment Card Industry Data Security Standard (PCI DSS) v4.0 is the exclusive version that brings many new conditions and features within its functioning. The PCI Security Standards Council (PCI SSC) issued the latest version 4.0 on 31st March 2022. The aim of PCI DSS 4.0 is to add more compliance and flexible features. 

While the 12 primary PCI DSS requirements from the 3.2.1 version will continue to be the core foundation for securing cardholder data under the PCI DSS framework, these requirements have been updated, restructured and new requirements have been added to offer guidance on how security controls should be used. PCI DSS 3.2.1 will remain active until 31st March 2024, and additional requirements will be considered best practice until 31st March 2025—meaning there’s still time to complete transition to the 4.0 version. 

New Requirements   

There are 64 new additional requirements introduced in the PCI DSS v 4.0, which would be becoming mandatory for all the entities seeking compliance to PCI DSS. Out of the 64 new requirements, 13 immediate requirements would be becoming mandatory from 31st March 2024, while for the remaining 51 requirements, there is a grace period given till 31st March 2025.  

Immediate Requirements  

Immediate requirements are the 13 requirements, which are applicable from 31st March 2024. These 13 requirements are majorly revolving around the documentation of the roles and responsibilities for performing activities for each primary requirement. 10 immediate requirements are about the documentation & communication of the roles and responsibilities for performing activities, which are following – 

1. Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood. 
2. Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood. 
3. Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood. 
4. Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood. 
5. Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. 
6. Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. 
7. Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood. 
8. Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. 
9. Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood. 
10. Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood. 

However, the remaining 3 immediate requirements are defined in the primary requirement 12: Support information security with organizational policies and programs. Which is the following:  

1.  A targeted risk analysis is performed for each PCI DSS requirement that is met with the customized approach. (12.3.2) 

1.  PCI DSS scope is documented and confirmed at least once every 12 months. (12.5.2) 

1.  TPSPs support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. (12.9.2) – Applicable on service providers only 

To be compliant with the 13 immediate requirements, an entity will have to take the following actions: the first 3 action items are applicable for all the entities, though last action item is applicable for service providers only. 

• document & communicate the roles & responsibilities of the personnel for performing activities/tasks as applicable.   

• perform a risk analysis for each PCI DSS requirement that is met with the customized approach & log it in the risk register. 

• document & review the scope of the PCI DSS at-least once every 12 months. 

• create a responsibility matrix which agreed between the TPSPs & their customers, provide AOC to the customers on demand, if the TPSP did not undergo the PCI assessment then provide the relevant sufficient evidence to demonstrate the compliance to applicable requirements.   

51 requirements  

 We have learned about the 13 immediately applicable requirements above, and now, will explore the challenges for the rest of the 51 requirements, which will be becoming mandatory from 31st March 2025. 

The transition from PCI DSS 3.2.1 to 4.0 signifies a shift towards adapting to emerging technologies and evolving security landscapes. However, as entities prepare for this transition, they will encounter several significant challenges.  We have summarised what we believe could be the biggest challenges our clients may encounter. 

Technical Complexity & Resource Availability 

 The new security requirements of PCI DSS 4.0 demand advanced technologies and a wider scope therefore simplifying the technology and resource management will be the key. Further, we are going to highlight few biggest challenges –  

• The terminology shift towards "network security controls" in the primary requirement 1 underscores the need for continuous monitoring and real-time access, therefore this may impact current technology available & staffing levels. 

• New requirement 5.4.1 outlines the emphasis on the automation of the phishing controls that reflects the evolving landscape of cyber threats and the need for robust measures to safeguard users and businesses and this requirement requires an additional technology to be implemented. 

• New requirement 6.4.3 outlines the emphasis on the authorization and integrity of the payment page scripts to ensure that the unauthorized code is not present in the payment page as it is rendered in the consumer’s browse.  

Scripts may be authorized by manual or automated (e.g., workflow) processes and using the parent page’s Content Security Policy (CSP) can help prevent unauthorized content being substituted for the payment page. therefore, this may impact the current technology available & staffing levels for manual authorization of the scripts. 

• Likewise, requirement 6.4.3, new Requirement 11.6.1 outlines the need of a change and tamper detection mechanism to prevent and detect unexpected script activities, generally known as skimming attack. therefore, this requirement requires an additional technology to be implemented. 

The list of the new requirements and associated challenges is quite long. Implementing and configuring these technologies require significant investments in technology and talent.     

Conclusion  

PCIDSS 3.2.1 is replaced with PCIDSS 4.0, and all the entities shall comply with PCIDSS 4.0, 1st April 2024 onwards. The latest version 4.0 details that PCI DSS compliance is not a one-time event but an ongoing process requiring continuous system monitoring and regular updates. Maintaining compliance again requires dedicated resources and personnel to manage monitoring and maintenance tasks effectively. Sustaining compliance with PCI DSS 4.0 requires a commitment to ongoing efforts and a dedicated team to ensure that security measures remain robust over time.  

Implementation of the immediately applicable 13 requirements require the extensive documentation, while the implementation of the rest of the 51 requirements, needs technical expertise and technology change or upgrade. Entities may find it particularly challenging to meet these requirements without straining their resources, therefore subject matter expertise from 1 Cyber Valley can support with compliance to the new additional requirements of PCIDSS 4.0, while ensuring that no or minimal interruption to the existing environment.