PCI DSS 4.0
What you need to know
2022 Brings Tighter PCI DSS Rules to Protect Data
Security matters. Mapping to the latest payment card industry (PCI) data security standards (DSS) requirements is paramount for the security of cardholder data on a global level. If you store, process or transmit payment card data, PCI compliance is required.
At Drummond Group, we enable our clients to take a security-first approach to PCI DSS compliance by helping them incorporate continuous security and compliance practices into their organization, culture and daily operations to make card transactions secure and protect them against identity theft.
In 2022, the newest version of PCI DSS – Version 4.0 – will be released and many of our clients ask questions daily about what trends to expect. The critical components of securing credit card data – the 12 core PCI DSS requirements – will not undergo any major changes. However, updates to strengthen security control requirements and add flexibility for organizations to achieve compliance will be the foundational advancements in security technology, risk mitigation techniques and evolving cyber threats.
New PCI DSS Requirements
PCI DSS Version 4.0 will have some new requirements, but each one will not necessarily be “future-dated.” Based on Drummond’s industry knowledge and updated released by the PCI SSC, the following list is a sneak peek of upcoming requirements in PCI DSS Version 4.0 requirements:
- A minimum length of 12 characters will apply to passwords or passphrases – this includes whether multi-factor authentication (MFA) has been implemented or not
- MFA will be required for all access into the cardholder data environment (CDE) to enhance or add control of MFA systems
- New controls for Phishing and malware mitigation
- Phishing must be included in security awareness training
- Managing payment page scripts will have new controls that are loaded and executed in a consumer’s browser
- Added requirement for a mechanism to detect any unauthorized changes on payment pages· Controls will be added within storage retention of Sensitive Authentication Data (SAD) prior to authorization
- All SAD will be required to be encrypted with strong cryptography for those storing before authorization and for issuers retaining SAD for issuing purposes
- New requirement will be included for copying in remote access except by authorized persons
- For hashing the 16-digit primary account number (PAN), new requirements state it must include the entire PAN and strong cryptographic procedures
- Reviews and confirmations of user accounts and privileges will now be required to be done every six months
- Application system accounts are required to be based on minimum privilege needed and only limited to processes in use
- Cloud applicability now added to Appendix A
- Risk Analysis must be completed for any requirement where an entity uses the customized approach. Any targeted risk analysis will be required to determine how often certain things must occur and for customized approach
- Two approaches for complying with PCI DSS v4.0:
- Defined Approach – Follows the traditional method for implementing and validating PCI DSS and uses the requirements and testing procedures defined within the standard
- Customized Approach – Focuses on the objective of each PCI DSS requirement and allows entities to determine the controls used to meet the stated objective:
- No defined testing procedures for customized approach
- Entity and/or assessor must design testing procedure that ensures customized approach meets the controls’ objectives
- Compensating controls will still exist for PCI DSS v4.0. The difference between a compensating control and customized approach is:
- Compensating controls are those that cannot meet the requirement due to technical and business constraint
- Customized approach is designed for companies meeting the objective in an alternate and novel way
- Self-Assessment Questionnaires (SAQs) will be updated to reflect PCI DSS v4.0 and give time for the industry to become familiar with PCI DSS v4.0 before replacing SAQs with merchant assessment forms. Self-assessing service providers will continue to use only SAQ-D.
Achieve and Maintain PCI DSS Compliance
Drummond offers expert standards testing and compliance services, including effective and robust PCI DSS preparation guidance such as:
- PCI DSS Assessment
- Gap analysis
- Penetration testing
- Vulnerability assessment
- Comprehensive Risk Assessment
- PCI Continuous Compliance
Does your organization store, process or transmit credit card data? Drummond’s wide range of services will help you prepare for compliance of the PCI DSS standard and help improve your organization’s overall data security.
Contact our compliance experts and schedule a meeting that’s convenient for your business timetable.
For more information
- PCI Security Standards Council – Maintaining Payment Security
- PCI Security Standards Council – PCI Perspectives | PCI DSS v4.0
- PCI Security Standards Council – PCI DSS: Looking Ahead to Version 4.0
- PCI Security Standards Council – PCI DSS v4.0: Anticipated Timelines and Latest Updates
- PCI Security Standards Council – Request for Comments