Payment Card Industry Data Security Standard version 4.0 Changes and Transition Timelines
The Payment Card Industry (PCI) Security Standards Council (SSC) introduced an updated compliance framework to support the payment card industry with the rollout of PCI Data Security Standard (PCI DSS) version 4.0 on March 31, 2022. The framework includes the most significant updates to the compliance framework since the prior version 3.2.1 was released in May 2018. The new framework is eligible for early adoption until version 3.2.1 is retired on March 31, 2024, when v4.0 will become the required compliance framework. The new technical security requirements in v4.0 are currently recommended as a best practice and not required to be in place until March 31, 2025 (one year after the adoption date).
There are several changes within the new framework, but arguably most notable is that entities have the option of using the new customized approach versus the defined approach. The defined approach is similar to PCI DSS v3.2.1 in terms of the requirements, controls, and testing procedures performed, which are prescribed by the SSC. With the new customized approach in v4.0, organizations can satisfy a PCI DSS requirement in a way that does not strictly follow the defined requirement. The customized approach allows an organization to take a strategic approach to meeting a requirement so it can determine and design the security controls needed to meet the requirement in a manner unique for that organization.
Organizations may use the defined approach for some requirements and customized approach for other requirements, but cannot use both approaches for the same requirement. Other key points related to the customized approach:
- Allows flexibility for the entity by being able to select which PCI requirements the entity desires to customize
- Requires additional documentation and a risk analysis for each customized approach
- Compensating controls are not allowed for PCI requirements using the customized approach
is required to perform the following procedures for each requirement using the customized approach:
- Document and maintain evidence about each customized control
- Perform a targeted risk analysis, as defined by the SSC, which includes five parts:
- Identify the requirement and the mischief that the requirement was designed to protect
- Describe the proposed solution that explains how the control will prevent the mischief
- Analyze changes to likelihood of a breach by documenting the factors that affect the likelihood of the mischief occurring. Additionally, the entity must state whether the likelihood has increased, decreased, or stayed the same.
- Analyze changes to impact of unauthorized access to account data by tying the likelihood of mischief to the impact on card holder data (CHD).
- Review and approval by a member of executive management at the next review date.
- Test and monitor the operating effectiveness of the control
In addition to the rollout of the customized approach, there are several other changes, which are grouped into the following categories:
- Evolving requirements - Changes to ensure that the standard is up to date with emerging threats and technologies. Several changes require additional and/or enhanced security protections, such as the following:
- Sensitive authentication data (SAD) storage (Requirements 3.3.2 and 3.3.3)
- Disk-level encryption (Requirement 188.8.131.52)
- Deploying an automated technical solution (web application firewall (WAF)) for public-facing web applications that detects and prevents web-based attacks (Requirement 6.4.2)
- Management of all payment page scripts that are loaded and executed in the consumer’s browser (Requirement 6.4.3)
- Implementing multi-factor authentication for all access into the CDE (Requirement 8.4.2)
- Audit log reviews are automated (Requirement 10.4.1.1)
- Monitoring failures in critical security controls such as firewalls, intrusion detection systems (IDS) / intrusion prevention systems (IPS), change detection solutions, antimalware, logical access controls, and physical access controls (Requirement 10.7.2).
- Authenticated internal vulnerability scanning (Requirement 184.108.40.206)
- Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction within the introductory sections of the Report on Compliance (ROC) and to individual requirements.
- Structural or formatting changes - Reorganization of content, including combining, separating, and renumbering of requirements to align content.
Additionally, there is a new requirement (Requirement 12.5.2) for the entity to perform a formal PCI compliance scope confirmation on an annual basis. Furthermore, each of the 12 PCI DSS Requirements call for the assignment of roles and responsibilities for all activities in each respective requirement.
Changes to the ROC template include:
- Scope exclusions (3.1)
- SAQ eligibility requirements (3.1)
- Storage of SAD (4.3.1)
- Managing third-party service providers (4.4)
- In-scope component table (4.8)
- Sample sets (4.9)
- Internal vulnerability scans (5.3)
- Evidence tables (6.2-6.5)
Notes regarding Self-Assessment Questionnaires:
- Same list of SAQs as previously available with v3.2.1 (i.e., A, A-EP, B, B-IP, C, C-VT, P2PE-HW, D for Merchants, and D for Service Providers)
- Updated requirements in SAQs are similar to the full ROC updates
- SAQs are not eligible for the customized approach
Requirements that are effective immediately with any v4.0 assessment (and all assessments beginning 3/31/2024) include:
- documenting and assigning roles and responsibilities within each respective requirement,
- the requirement to document and confirm annually the scope of PCI compliance, and
- the requirement for performing the target risk analysis for each requirement met with the customized approach.
We recommend beginning your assessment of the PCI DSS v4.0 framework and changes as soon as feasible. While the specified compliance dates seem far out, several changes require new or updated technical solutions and funding that will take time to implement.
If you have any questions about this article or have questions about assessing your credit card compliance, please reach out to RubinBrown.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.