Understanding PCI DSS v4.0

The latest update to the PCI DSS is finally in full force. Discover the ins and outs of this sometimes tricky regulation and make sure you’re processes are still up-to-date. Let’s get into it!

A Quick Refresher

If your business accepts cards in any way, it’s safe to guess you’re already well familiar with the PCI DSS (at least, I’d sure hope so). But just like with a new episode of your favorite show, it’s always nice to see a rundown of everything that happened last season.

The PCI DSS stands for The Payment Card Industry Data Security Standard. It’s in an information security standard organized by major credit card companies (Visa, Mastercard, etc.), and it’s meant to force businesses to process, store, or transmit credit card data in a secure environment. Think of it as data protection for credit card info—something like the GDPR for your Visa.

But if you’re still unsure about the PCI DSS, or you’d simply like to know more about the base regulation itself, then be sure to read our article The Basics of the PCI: What Makes It Different?.

Hot Off the Presses

With that out of the way, it’s time we got into the nitty-gritty of PCI DSS v4.0. That’s right, version four is officially here and 100% in force. Hopefully, this isn’t the first time you’re hearing about v4.0, given that it was first announced all the way back in 2022.

It was then that companies were given two years to make all the necessary changes, and as of 31 March 2024, the old version was retired and v4.0 took its place.

As with any tech- and data-based regulation, the PCI DSS has to be updated as time goes by. This is a natural response to new threats, technological advances, and industry insights. In fact, PCI DSS v4.0 was built on 6000+ items of feedback provided by over 200 different companies. And one of the main issues it strives to tackle is new controls to address sophisticated cyberattacks.

Let’s take a look at the 4 largest areas of change brought by PCI DSS v4.0.

#1 Updated Security Measures

Cybersecurity is essentially the primary reason why the PCI DSS even exists at all. To protect customers’ credit card information and keep it out of untrustworthy hands. But as technology continues to advance, even more so now with the introduction of AI, the PCI DSS was due for a security upgrade.

And it came in the form of multiple new methods of threat prevention. One such example is that PCI DSS v4.0 further expanded its multi-factor authentication (MFA) requirements. This expansion dictates the following:

• The MFA system must not be susceptible to replay (aka man-in-the-middle) attacks.
• MFA must not be able to be bypassed unless a specific exception is documented and authorized by management.
• The MFA solution must use two different and independent factors for authentication.

PCI DSS v4.0 also beefed up its password requirements, with a new 12-character minimum. Passwords must also be reset every 90 days, and old passwords can never be used again. Then there are unsuccessful login attempts, which have been reduced to 10.

#2 Security as a Continuous Process

PCI DSS v4.0 clarifies that any one-and-done style security measures are out the door. Instead, businesses need to view their security processes more as a flowing river than a stagnant pond. Ongoing security is crucial to protect payment data. But how can you go about doing this?

How about a few examples? For starters, you can clearly assign roles and responsibilities for each requirement. In other words, assign specific people whose job it is to ensure each instance of PCI DSS v4.0 is implemented correctly and that every requirement is being upheld to the fullest.

Another example of continuous security procedures is to hold in-house trainings, where you provide detailed guidance to help employees better understand how to implement and maintain all security measures as illustrated by PCI DSS v4.0. The more well-trained eyes and assigned roles you have, the more your security river flows instead of pooling up and growing stationary. 

#3 Same Objectives, Different Methods

At first glance, it may seem like version 4 of the PCI DSS is cracking down on security, becoming only stiffer and stiffer. In reality, it now offers organizations and businesses more flexibility than before to achieve the same security objectives.

It does this by:

• Allowing group, shared, or generic accounts.
• Empowering organizations to establish frequencies for performing certain activities via targeted risk analyses.
• Offering two ways for entities to implement and validate PCI DSS requirements, namely the Defined Approach and the Customized Approach.

That last point is an interesting one. Before, the only option was to follow the Defined Approach, i.e., the traditional and well-defined way of implementing and validating PCI DSS controls. But now, you can opt for the Customized Approach, which allows companies to create, in a sense, their own path toward meeting the same controls. This option suits entities with robust security processes and strong risk management practices, that can effectively design, document, test, and maintain these security controls.

This option may not be for everyone, but it’s a pleasant update to the one-method design laid out by PCI DSS v.3.2.1.

#4 Enhanced Validation Methods and Procedures

This section’s goal is to create clearer validation and reporting options that support transparency and granularity. It does this by increasing alignment between the information reported in a Report on Compliance or Self-Assessment Questionnaire as well as the information summarized in an Attestation of Compliance.

In layman’s terms, the clearer and more streamlined the reporting process, the greater that company’s transparency. And transparency is key when trying to show the big boys upstairs (the PCI Security Standards Council) all your various data security reports. Everybody likes it when the books are clean and easy to read.

Tip of the Iceberg

Now, there’s no way to go deep into the weeds on PCI DSS v4.0 without making this more of a novel than an article—the actual regulation itself is 360 pages long! Instead, we’ve highlighted here some of the more notable changes and provided some ideas on how to incorporate these changes in practice.

And there’s no better tool to help you achieve PCI DSS compliance than the PII Tools Data Discovery Software, specially designed to simplify how you store and organize credit card data, ensuring the information is secure.

PCI DSS v4.0 is already in effect, so there’s no time like the present to start implementing these changes if you haven’t. But you’ll be happy you did because better security for you means better security for your users and customers—and that’s an achievement we can all live with.

CTV: PCI DSS v4.0 is Now Live – Have You Updated Your Security? Make It Easy with PII Tools!

Sources:

• https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4-0-At-A-Glance.pdf
• https://www.groundlabs.com/blog/are-you-ready-pci-dss-v4-0/
• https://www.pcisecuritystandards.org/
• https://blog.hypr.com/pci-dss-4-password-mfa-requirements
• https://blog.pcisecuritystandards.org/pci-dss-v4-0-compensating-controls-vs-customized-approach