3 Major Changes with PCI DSS v4.0.1

Cole PrudenCompliance, Data Protection, PCI DSS, Sensitive Data

The long-awaited update to version 4 of the PCI DSS has only been in force since spring 2024. And already it’s been revised into v4.0.1. Let’s take a look at 3 changes you need to know about.

First There Was v4

Before we get too deep into this latest revision, it’s important we’re all up to speed on this set of regulations and the update to version 4. To summarize, the Payment Card Industry Data Security Standard forces businesses to process, store, and transmit credit card data in a secure environment.

In the same way that other data protection regulations strive to safeguard personal information (like the GDRP, for example), the PCI DSS protects sensitive credit card info. But if you’d like to know more about this specific directive, we recently published a deep dive on v4 that you can check out HERE.

Staying Up-To-Date

Technically speaking, PCI DSS v4.0 is outdated. As of 11 June 2024, the latest version was published in the form of v4.0.1.

Right out of the gate, it’s worth mentioning that this update is only a limited revision of v4.0, meaning the base information and requirements stay the same, but a few noteworthy changes have been made. And when it comes to data protection, you never want to find yourself being left behind.

More than anything, PCI DSS v4.0.1 is a response to stakeholder feedback about v4, adding some corrections to formatting and typos and, more importantly, clarifying the focus and intent of some of the requirements and guidance.

Changes To: Requirement 3

The first requirement to undergo changes was Requirement 3: Protect stored account data. Initially, this section left some readers confused as it stated that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if encrypted.

And not shortly after, it seemed to contradict itself by saying that SAD stored electronically prior to the completion of authorization is encrypted using strong cryptography. This left issuers and companies that support issuing services unsure whether they had to meet these requirements.

The solution was then to update the requirement to v4.0.1, which clearly states that this matter does not apply to issuers and companies that support issuing services that have a “legitimate and document business need” to store SAD.

Changes To: Requirement 6

The next guidance that needed some updating was Requirement 6. The main instigator was the section that stated “patches/updates for critical and high-risk vulnerabilities had to be installed within one month of release”.

Upon user feedback, v4.0.1 now specifies that this requirement of installing patches/updates within 30 days only “applies for critical vulnerabilities, not high-risk ones”. This is a particularly important change to remember if you happen to be an organization deemed to have critical and high-risk vulnerabilities.

Changes To: Requirement 12

Requirement 12 deals with the relationship between organizations and third-party service providers, or TPSPs. Many organizations opt to engage with such TPSPs to store, process, or transmit account data or even to manage in-scope system components on their behalf.

And PCI DSS v4.0.1 now goes into further detail about how this relationship is allowed to proceed. For example, it clarifies that all TPSPs are required to support their customers’ requests for information about their PCI DSS compliance status.

Another example is that customers can request information about which specific PCI DSS requirements are the responsibility of the TPSP, which are their own, and which they share together with the TPSP.

This is crucial information for any organization involved with a TPSP, as it gives the customer more rights to know who is handling their credit card or account data and why.

PCI DSS v4.0.1 Compliance

It’s safe to say we can only expect further revisions and updates to come through in the future. Regulation standards like the PCI DSS are essentially a moving work in progress that is forced to adapt to changes in technology.

That’s why it’s always a good idea to stay up-to-date on the PCI DSS, even if some of the changes may appear minor at first glance. The end goal is always to protect the customers’ data, not only for your own reputation but simply because it’s the right thing to do.

CTV: And If You Need Help Discovering Data at Risk of Violating PCI DSS v4.0.1, PII Tools is the Solution for You!