Close this search box.
PCI DSS 4.0 – What you need to know

What you need to know

2022 Brings Tighter PCI DSS Rules to Protect Data

Security matters. Mapping to the latest payment card industry (PCI) data security standards (DSS) requirements is paramount for the security of cardholder data on a global level. If you store, process or transmit payment card data, PCI compliance is required.

At Drummond Group, we enable our clients to take a security-first approach to PCI DSS compliance by helping them incorporate continuous security and compliance practices into their organization, culture and daily operations to make card transactions secure and protect them against identity theft.

In 2022, the newest version of PCI DSS – Version 4.0 – will be released and many of our clients ask questions daily about what trends to expect. The critical components of securing credit card data – the 12 core PCI DSS requirements – will not undergo any major changes. However, updates to strengthen security control requirements and add flexibility for organizations to achieve compliance will be the foundational advancements in security technology, risk mitigation techniques and evolving cyber threats.

New PCI DSS Requirements

PCI DSS Version 4.0 will have some new requirements, but each one will not necessarily be “future-dated.” Based on Drummond’s industry knowledge and updated released by the PCI SSC, the following list is a sneak peek of upcoming requirements in PCI DSS Version 4.0 requirements:

  • A minimum length of 12 characters will apply to passwords or passphrases – this includes whether multi-factor authentication (MFA) has been implemented or not
  • MFA will be required for all access into the cardholder data environment (CDE) to enhance or add control of MFA systems
  • New controls for Phishing and malware mitigation
  • Phishing must be included in security awareness training
  • Managing payment page scripts will have new controls that are loaded and executed in a consumer’s browser
  •  Added requirement for a mechanism to detect any unauthorized changes on payment pages· Controls will be added within storage retention of Sensitive Authentication Data (SAD) prior to authorization
  • All SAD will be required to be encrypted with strong cryptography for those storing before authorization and for issuers retaining SAD for issuing purposes
  • New requirement will be included for copying in remote access except by authorized persons
  • For hashing the 16-digit primary account number (PAN), new requirements state it must include the entire PAN and strong cryptographic procedures
  • Reviews and confirmations of user accounts and privileges will now be required to be done every six months
  • Application system accounts are required to be based on minimum privilege needed and only limited to processes in use
  • Cloud applicability now added to Appendix A
  • Risk Analysis must be completed for any requirement where an entity uses the customized approach. Any targeted risk analysis will be required to determine how often certain things must occur and for customized approach
  • Two approaches for complying with PCI DSS v4.0:
    • Defined Approach – Follows the traditional method for implementing and validating PCI DSS and uses the requirements and testing procedures defined within the standard
    • Customized Approach – Focuses on the objective of each PCI DSS requirement and allows entities to determine the controls used to meet the stated objective:
      • No defined testing procedures for customized approach
      • Entity and/or assessor must design testing procedure that ensures customized approach meets the controls’ objectives
  • Compensating controls will still exist for PCI DSS v4.0. The difference between a compensating control and customized approach is:
    • Compensating controls are those that cannot meet the requirement due to technical and business constraint
    • Customized approach is designed for companies meeting the objective in an alternate and novel way
  • Self-Assessment Questionnaires (SAQs) will be updated to reflect PCI DSS v4.0 and give time for the industry to become familiar with PCI DSS v4.0 before replacing SAQs with merchant assessment forms. Self-assessing service providers will continue to use only SAQ-D.
PCI DSS v4.0 Transition Timeline

Achieve and Maintain PCI DSS Compliance

Drummond offers expert standards testing and compliance services, including effective and robust PCI DSS preparation guidance such as:

Does your organization store, process or transmit credit card data? Drummond’s wide range of services will help you prepare for compliance of the PCI DSS standard and help improve your organization’s overall data security.

Download Drummond's Guide to Integration Review of E-Prescription Module

Please fill out the form below to download the guide.

[gravityform id="66" title="false" description="false" ajax="true"]

Drummond's guide to EPCS Recertification

Please fill out the form below to download the guide.

[gravityform id="65" title="false" description="false" ajax="true"]

Drummond's guide to Initial EPCS Certification

Please fill out the form below to download the guide.

[gravityform id="64" title="false" description="false" ajax="true"]