Skip to main content
Card PaymentsContact CentrePCI CompliancePhone Payments

Looking at the PCI DSS v4.0 Changes

By February 15, 2024No Comments

In this blog we look at the PCI DSS v4.0 changes...

…what updates have been added by the PCI Data Security Standard, what the goals are for the latest version, as well as highlighting the requirements in the latest version so that any organisation taking payments remain compliant and protect themselves and their customers.

The Payment Card Industry Data Security Standard (PCI DSS) Version 4.0, which was unveiled by the PCI Security Standards Council in March 2022, represents the most significant update to the PCI DSS since its inception.

The evolution of the standard from Version 3.2.1 to 4.0 reflects changes in technology, business architecture, and the threat landscape, aiming to provide a more robust framework for protecting payment card data against increasingly sophisticated cyber threats.

Below you can read a detailed overview of the key changes and enhancements introduced in PCI DSS Version 4.0.

PCI DSS v4.0 Changes icon

What are the main goals for the PCI DSS v4.0 Changes?

Continuity

The PCI Security Standards Council intend to continue to meet the security needs of the payment industry by maintaining the standards to protect cardholder data and reduce credit card fraud. As well also ensuring that organisations are not just secure at a point in time, but maintain security continuously as an ongoing priority.

Promote Security

The latest version aims to promote security as a continuous process by introducing more flexible and adaptive compliance methods. Encouraging the integration of new technologies and enhancing validation measures. It underscores the importance of ongoing risk analysis, continuous monitoring, and regular updates to security controls including continuous employee training and awareness programs.

Provide Flexibility

PCI DSS version 4.0 is designed to support a range of different technologies, risk methodologies, and business scenarios. It acknowledges that technology and security risks evolve at a rapid pace and that organisations need to adapt their compliance strategies accordingly. This allows innovative solutions to meet security controls in a way that fits their specific operational needs while still maintaining the integrity and intent of the security objectives of PCI DSS.

Enhance Validation

PCI DSS v4.0 changes have led to enhanced validation by introducing a more flexible, customised approach to compliance, addressing evolving threats through strengthened authentication, encryption, and controls monitoring. It emphasises transparency and accountability with detailed compliance documentation, adapting to the dynamic cybersecurity landscape for better protection of cardholder data.

An Overview of PCI DSS 4.0 Changes

In this section we look at the main PCI DSS v4.0 changes at a top level. We encourage companies who take payments to read the full security standards that are required to be compliant which can be found here. Equally, they can talk to PayGuard to find out more about how technology can reduce the compliance headache and simplify the process by helping remove them from the scope of the PCI DSS.

Emphasis on Risk-Based Approach

PCI DSS 4.0 pushes for a more adaptable and risk-based approach to compliance. This version acknowledges that one size does not fit all when it comes to security and provides entities with the flexibility to achieve security objectives via different methods. This is particularly crucial as businesses increasingly adopt emerging technologies such as cloud services, which are referenced extensively in the new standards.

PCI DSS v4.0 Changes Risk

Extended Documentation and Roles

There is a greater emphasis on the documentation of roles and responsibilities across various requirements. This change ensures that all personnel involved in maintaining PCI DSS compliance are aware of their specific duties, which is essential for the effective implementation and maintenance of security controls.

Strengthened Authentication

Requirement 8 sees significant changes, particularly in strengthening authentication measures. Multi-factor authentication (MFA) is now required for all access to the cardholder data environment, not just for remote access. This change acknowledges the importance of robust authentication mechanisms in protecting against unauthorised access.

Automation of Log Monitoring

Requirement 10 introduces a mandate for automated log monitoring. The manual review of logs is no longer considered adequate due to its time-consuming nature and potential for human error. Automated tools are now required to facilitate real-time monitoring and response to security incidents.

PCI DSS v4 Down Arrow

Change and Tamper Detection

A new requirement for change and tamper detection mechanisms has been introduced for payment pages, ensuring that any alterations to payment software or data capture pages are detected and addressed promptly.

Annual Scoping Exercises

The new standards require organisations to conduct documented annual scoping exercises. This requirement ensures that the scope of compliance is accurately determined and that all necessary system components are adequately protected.

Stringent Security Measures

Version 4.0 builds upon the security foundations of the previous version with more stringent standards. These include enhanced protection for cardholder data during transmission across networks, even those considered trusted.

Alignment with NIST Standards

There is a deeper alignment with the National Institute of Standards and Technology (NIST) Multi-Factor Authentication (MFA) and password guidance. This move ensures the application of contemporary, strong authentication standards to payment and control process access logins.

Encryption Standards

PCI DSS 4.0 has broadened the applicability of encryption on trusted networks. As cyber threats that include malicious code become increasingly prevalent, there is a need to ensure that cardholder data is fully protected during transmission.

Technology Advancements

The new standards accommodate rapid technological advancements, allowing for more pluggable options for information systems. This flexibility enables faster deployment of compliant processes without being restricted to specific control areas.

Critical Control Testing Frequency

A significant increase in the amount of testing required has been introduced, potentially including Designated Entities Supplemental Validation (DESV) requirements for all entities, not just those that have experienced a data compromise.

Transition Period

Entities have until March 31, 2025, to comply fully with PCI DSS version 4.0. Some requirements are effective immediately, while others are considered best practices until the previous version is retired. This transition period provides organisations with the necessary time to understand, implement, and adapt to the new standards.

PCI DSS 4.0 Changes Calendar

An Example of a Compliance Breach Before and After

PCI DSS V.4 Changes

When dealing with PCI DSS compliance, the handling of sensitive cardholder data is governed by strict rules to ensure the protection of this information. In a call centre environment, reading card data over the phone can easily lead to a violation of PCI DSS requirements, particularly if certain precautions are not taken. Here is an example scenario that illustrates how PCI DSS compliance can be invalidated:

Scenario

A customer calls into a call centre to make a payment for a service. The call centre agent asks the customer to provide their credit card details over the phone to process the payment.

Actions Leading to Non-Compliance

Unencrypted Transmission of Data: The customer reads their full credit card number, expiry date, and CVV code aloud to the agent. This transmission occurs over a standard telephone line without encryption, which means the data could potentially be intercepted by unauthorised parties.

Storage of Sensitive Authentication Data: After receiving the card details, the call centre agent writes down the information on a notepad to process the payment later, as their system was momentarily down.

Lack of Access Control: The notepad with the customer’s card details is left on the desk, accessible to anyone passing by, rather than being secured in a locked drawer or shredded after use.

Essentially if card detail is read out over the phone a company’s infrastructure and environment are going to be out of compliance.

PCI DSS Compliance Violations

Requirement 4 – Encrypt transmission of cardholder data across open, public networks: By reading the card details over an unsecured phone line, the call centre fails to ensure the encryption of cardholder data during transmission.

Requirement 3.2 – Do not store sensitive authentication data after authorisation (even if encrypted): Writing down and storing the CVV code (sensitive authentication data) is a direct violation of PCI DSS requirements.

Requirement 9 – Restrict physical access to cardholder data: Leaving sensitive information accessible on a desk violates the requirement to protect cardholder data from physical access by unauthorised individuals.

Consequences

Data Breach Risk: This scenario significantly increases the risk of a data breach, as sensitive cardholder information is left unprotected both during transmission and in physical form.

Fines and Penalties: The organisation could face substantial fines from payment card brands or acquiring banks for failing to comply with PCI DSS requirements.

Reputational Damage: A breach or non-compliance finding can lead to loss of customer trust and potentially long-term damage to the company’s reputation.

PCI DSS v.4 Changes Conclusion

Conclusion to PCI DSS v4.0 Changes

The comprehensive updates in PCI DSS 4.0 demonstrate the council’s commitment to evolving the standard in step with changes in the payment security ecosystem. It provides a framework that not only increases the security of payment systems but also introduces greater flexibility, allowing organisations to tailor their compliance strategies to their specific operational needs and the modern digital landscape.

Organisations are encouraged to review the detailed documentation provided by the PCI Security Standards Council and to work closely with security professionals to ensure a smooth transition to the new standard and maintain the integrity of their payment security posture​​​​​​​​​​.

Given the breadth of changes and the implications for various aspects of payment security, organisations affected by PCI DSS should initiate a comprehensive review of their current security measures, assess the gaps in the context of the new version, and develop a strategic plan to address them. This plan should include budget adjustments, technology upgrades, training for relevant personnel, and a timeline for implementation that aligns with the transition period set by the PCI Security Standards Council.

Adopting PCI DSS 4.0 is not merely a compliance exercise; it is an opportunity for organisations to enhance their overall security frameworks, thereby protecting not just cardholder data but also strengthening trust with customers and stakeholders in a world where data breaches are critical for businesses.

Do You Want to Find Out More?

If you need help understanding if your current payment technology is compliant or want to speak to PayGuard to see how it’s award-winning technology can help remove the complications and cost of compliance then contact us here, or on the form below.