PCI DSS v4.0: Changes You Need to Know
On March 31, 2022, the PCI Standards Security Council (PCI SSC) updated the PCI Data Security Standard (PCI DSS), which is the information security standard used by retailers and financial organizations to protect sensitive cardholder data. Coming four years after the release of PCI DSS v3.2.1, the Council says PCI DSS v4.0 will “address emerging threats and technologies, and enable innovative methods to combat new threats” to cardholder data largely by centering the standard on outcome-based requirements.
Hundreds of pages longer than the previous version, the new standard is considered a major update and is a significant revision that might seem foreign even to those familiar with PCI DSS v3.2.1. Organizations can expect most requirements to have some level of alteration — from changes to requirement number, location, and wording, to new requirements and testing procedures.
One of the most noteworthy updates is to the reporting documentation itself, which includes a new assessment finding status (i.e. In Place with Remediation) and a new validation method called “Customized Approach.”
In this blog, I’ll offer a high-level overview of what you need to know about the PCI DSS 4.0 changes.
PCI DSS 4.0 Changes
PCI DSS v4.0 maintains its core structure of 12 PCI DSS requirement sections. However, it features significant changes to the requirement layout and in many cases to the wording itself. Some requirements were relocated to new sections to better suit its purpose and objective. You will also find requirements that have been redesigned to better clarify its security intent and provide additional guidance on how security controls should be implemented.
The key high-level goals for PCI DSS v4.0 are:
- Ensure the standard continues to meet the security needs of the payments industry
- Promote security as a continuous process
- Add flexibility and support for additional methodologies to achieve the objective of a requirement
- Enhance validation methods
The Customized Approach
PCI DSS 4.0 keeps the existing prescriptive method for compliance and introduces a new Customized Approach option for meeting a requirement. Customized Approach allows customers to leverage novel technologies and innovations to meet a control objective that may not necessarily meet the defined requirement approach. This is intended to give organizations more flexibility as long as they can show their custom solution meets the objective of the PCI DSS requirement.
The new Customized Approach validation method provides a more mature model from what was previously referred to as Compensating Controls. It requires more vetting and review, including control matrix documentation, and a targeted risk analysis to ensure the assessed entity has fully addressed all associated risks and to confirm the intent of the control objectives are being met.
12 Additional Changes You Need to Know
Outside of the changes to the reporting format and validation methods, there are a good number of changes to the requirements themselves as well. There are a total of 64 changed or new requirements in the PCI DSS 4.0 standard. Here are 12 PCI DSS 4 changes you need to know.
- Formalized Annual Scoping Exercise – Performance of an annual scoping exercise was something organizations were instructed to execute within the PCI DSS 3.2.1 instructions. The onus however was on the organization being assessed to confirm this exercise was being properly conducted. PCI DSS v4.0 formalizes this requirement which will now be validated by an assessor as one of the new requirements within the standard itself.
- Updated Authentication Requirements – Password Authentication Requirements now include:
- Minimum Password Length – 12 characters (previously 7 characters)
- Minimum Complexity – numeric and alphabetic
- Lockout Requirements – no more than 10 failed attempts (previously 6 attempts)
- Minimum Lockout Duration – 30 minutes
- Password Expiration – 90 days*
- Password History – Previous 4 Passwords
*PCI DSS v4.0 does provide additional options to satisfy the 90-day expiration requirement. It clarifies the use of MFA and/or performing a real-time dynamic analysis on a user account’s security posture based on a zero-trust architecture can also be used to meet this control.
- Multi-Factor Authentication – PCI DSS 4.0 adds clarification to requirements for MFA for remote access and access into the cardholder data environment (CDE). If remote access grants access outside the CDE, then an additional MFA control will be required to gain access into the CDE from that network. This is important because the new standard also clarifies that MFA for remote access is also required for networks with access to the CDE (where connected systems exist).
- Risk Assessment – Instead of a single risk assessment process, PCI DSS v4.0 requires organizations to perform targeted risk analysis for all requirements where there is flexibility allowed and that risk analysis must be performed at least annually for each instance. An example of this are controls that are required to be performed “periodically.” The results of this exercise will need to be documented and provided to the assessor for review prior to the PCI assessment.
- Ownership, Roles, & Responsibilities – Organizations must now properly communicate roles, responsibilities, and ownership of all requirement tasks. Responsibilities must be formally documented, assigned, and understood by the owner.
- Encryption – The hashes used to render a primary account number (PAN) unreadable are required to be keyed cryptographic hashes of the entire PAN. Organizations will no longer be allowed to only hash the sensitive parts of the PAN. In addition, disk encryption will no longer be acceptable as the control used to protect PAN at rest, with the exception of PAN stored on removable media.
- Anti-virus/Malware – The anti-virus requirements will have more flexibility for organizations based on targeted risk assessments. There is a new control required to be in place that detects and protects personnel against phishing attacks.
- Public-facing web applications – PCI DSS v4.0 requires deployment of an automated technical solution that continually detects and prevents web-based attacks. This solution must be in front of public-facing web applications and configured to either block web-based attacks or generate an alert that is immediately investigated.
- HTTP Headers – To help curb the impact of Magecart attacks, there’s a new requirement for a change and tamper-detection mechanism that alerts of any unauthorized modifications to HTTP headers and the contents of payment pages as received by the consumer browser.
- Payment page scripts – Also related to the above, organizations will be required to manage (and use proper controls to ensure the integrity of) all payment page scripts that are loaded and executed in the consumer’s browser. This includes scripts being pulled from third-party sites.
- Log Requirements – Only ‘Automated Mechanisms’ will be allowed for performing audit log review, meaning daily manual reviews will be prohibited. Also, requirements around control failures will now apply to all organizations and not only service providers.
- Internal Vulnerability Scanning – Internal scans must be authenticated unless the device being scanned does not accept credentials. PCI DSS v4.0 also includes controls concerning the protection of authentication credentials.
PCI DSS v4.0 Timeline
PCI DSS v4.0 and PCI DSS v3.2.1 standards will both be valid standards available to organizations until March 31, 2024. After which, only PCI DSS v4.0 assessments will be allowed. Also, most new requirements (which include others not listed above) will be a best practice until 2025.
The PCI SSC is still working to release supporting documents to assessor companies and provide training to all assessors before they can perform any PCI DSS v4.0 assessment. This training is planned to be available in June 2022. Given this, we don’t expect any PCI DSS v4.0 assessments to begin until at least July of 2022. We caution companies, however, to do their due diligence and prepare for any and all changes to the standard that might impact their assessment.
If you have any questions about the new standard and need help deciding which will be most appropriate for you to complete, please reach out to A-LIGN and our team will be happy to share more about the PCI DSS 4 changes and help you through that decision process.