Blog

The Curtain Rises: Unveiling PCI DSS 4.0

The newly released PCI DSS v4.0 is expansive in scope, futuristic in approach and sharper in focus that covers Risk-driven evaluation, Threat-based plan of action, evolving payment form factors and stringent controls to promote greater security for payment data while also offering a great deal of flexibility through customized validation.
Unveiling PCI DSS 4.0 - contactless terminal with mobile

The much-awaited version 4.0 of the PCI Data Security Standard (PCI DSS) was launched on 31 March 2022, amidst much anticipation. The PCI DSS is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard and will replace v3.2.1. The evolution in this standard stems from the need for greater security for payment data in the backdrop of rising frequency and complexity of data breaches, emerging technologies and innovations, and constantly widening attack surface.

What’s the new focus of the standard?

The overall goals for updates to PCI DSS v4.0 are to meet the evolving security needs of the payment industry, promote security as continuous process, add flexibility for different methodologies that meet the intent of requirements, and enhance validation methods. (Read our earlier blog on preview of v4.0) The new standard is expansive in scope, futuristic in approach and sharper in focus that covers five major domains:

  • Risk-driven evaluation and implementation
  • Threat-based Plan of Action
  • Evolving Payment Form Factors
  • Coverage of end-to-end payment ecosystem
  • Stringent controls

A Closer Look at the New Requirements

The PCI DSS v4.0 includes a host of new requirements, 64 to be specific, that are applicable to all entities or in some instances, to service providers only. These new requirements are either effective immediately for all PCI DSS v4.0 assessments or will serve as best practices until March 2025, after which they become effective. The key changes that might have significant impact are listed below:

  • Requirement 1 now focusses on Network Security Controls rather than Firewalls/Routers – making it more adaptable to Clouds or Zero Trust based security architecture etc. (to support a broader range of technologies used to meet the security objectives traditionally met by firewalls)
  • Requirement 3 addresses security requirements of Pre-Authorized Sensitive Authentication Data (SAD) and requires encryption and implementation of data retention policies, procedures and processes. With the change in BIN range, PCI has addressed the challenge of data masking by allowing for display of BIN Range + Last 4 Digits.
  • Requirement 4 allows confirming the certificates used for PAN transmissions over open, public networks such as TLS etc. are valid and are not expired or revoked, while also requiring organizations to maintain an inventory of trusted keys and certificates.
  • Requirement 5 requires defining the frequency of periodic evaluations of system components not at risk for malware in the entity’s targeted risk analysis. System components not requiring anti-malware shall be revaluated as per the frequency set under an organization’s Risk Management Program. It also covers detection and protection against Phishing attacks.
  • Requirement 6 to deploy an automated technical solution (such as Web Application Firewall) for public-facing web applications that continually detects and prevents web-based attacks. It also requires new security controls for management of payment page scripts embedded in the consumer’s browser.
  • Requirement 7 relates to the implementation of an Access Control Model based on Least Privileges and need-to-know basis. The scope of access controls and privileges are extended to Application and System Accounts too.
  • Requirement 8 has the option to determine access to resources automatically by dynamically analyzing the security posture of accounts, instead of changing passwords/passphrases at least once every 90 days. Additionally, it requires organization to implement multi-factor authentication (MFA) for all access into the CDE, allows the option of using Behaviour analytics (User and Account) in place of password change and covers management of system or application accounts that can be used for interactive login.
  • Requirement 9 covers frequency of periodic POI Device inspection based on organization’s Risk Management practices.
  • Requirement 10 deals with the use of automated mechanisms to perform audit log reviews and requires new mechanisms for organizations to detect, alert, and promptly address failures of critical security control systems.
  • Requirement 11 has multiple sub-requirements covering Plan of Action for closure of non-ranked vulnerabilities identified during VAPT exercise, Authenticated scanning for Internal Vulnerability Assessment, deploying a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser, and requirement for multi-tenant service providers to maintain VAPT practices for their hosted customers either by providing them access to conduct these exercises or providing evidence/report.
  • Requirement 12 deals with performing Targeted Risk Analysis using a Customized Approach and offers flexibility for how frequently it is performed. It also includes documenting PCI DSS scope and reviewing hardware and software technologies in use and security awareness training program at least every 12 months.

What’s the way forward?

The changes and updates to the PCI standard are an improvement over existing set of requirements and appear in line with the evolving payments landscape. Some of these changes discussed above might involve a paradigm shift towards compliance in addition to the cost and resource outlays. This would mean organizations need to start planning for the transition now to avoid time and cost over-runs. To provide organizations time to understand the changes in v4.0 and implement any updates needed, the current version of PCI DSS, v3.2.1, will remain active for two years until it is retired on March 31, 2024. Organizations can engage with PCI Qualified Security Assessor (QSA) such as SISA, who can provide expert security recommendations and guidance on implementation and ensure the transition is smooth and seamless.

 

To learn more about the changes to v4.0, their implications, and how to plan for the transition, register for our upcoming Fireside Chat.