After a few delays, the Payment Card Industry Security Standards Council (PCI SSC) finally released PCI DSS 4.0 on March 31, 2022. Unlike previous updates, this one includes significant changes, more clarity and flexibility in some areas, and increased legal risks.
For example, there’s greater focus on targeted risk analysis, organizational maturity, and governance. PCI DSS compliance will now be considered a continuous effort, rather than an annual snapshot exercise. A customized approach to PCI assessments is available, which enables businesses to implement alternative technical and administrative controls.
The Two-Year Plus Window
Implementing PCI DSS 4.0 will require more than just modifying security controls. The good news is that the previous version, PCI DSS v3.2.1, will remain active through March 31, 2024. At that time, it will be retired, and PCI DSS v4.0 will be the official standard.
Organizations will then have an additional year before any future-dated requirements come into effect as part of a v4.0 assessment. Each future-dated requirement will be noted in PCI DSS v4.0 as a “best practice” until March 31, 2025. Organizations aren’t required to validate against these specific requirements until that date has been reached.
Once training becomes available to assessors in June 2022, assessors can start conducting assessments using either v4.0 or v3.2.1. Only PCI DSS v4.0 can be used after March 31, 2024.
The PCI SSCs’ implementation schedule provides a transition period to enable organizations to familiarize themselves with the requirements of PCI DSS v.4.0, update their reporting templates and forms, and plan for and execute what it will take to meet the updated requirements. In addition, both the standard and summary of changes will be translated into several languages and published between now and June 2022 to support worldwide adoption.
PCI DSS 4.0 increases the requirements for periodic diligence by adding several new controls. These include:
At least every 12 months and upon a significant change, merchants and service providers must document and confirm the PCI DSS scope of the in-scope environment (PCI DSS 12.5.2). There are also additional documentation requirements for service providers. (PCI DSS 126.96.36.199-2)
Target risk analysis is required for any controls that use a customized approach at least every 12 months with written approvals by senior management. (PCI DSS 13.3.2)
At least one annual risk analysis is required for any controls that have flexibility for the frequency of controls. (PCI DSS 13.3.1 – considered a best practice until March 31, 2025)
At least one annual review of cipher suites and protocols is required. (PCI DSS 12.3.3 – considered a best practice until March 31, 2025)
At least one annual review is required of hardware and software technologies in use with a plan to remediate outdated technologies approved by senior management. (PCI DSS 12.3.4 – considered a best practice until March 31, 2025)
Organizations may want to build the new processes and try them out prior to having to rely on them for PCI DSS compliance through their Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) processes and QSA oversight. This will save time and help reduce the risk of potential noncompliance.
2. Customized Approach Option
Previously, when merchants and service providers couldn’t meet the prescriptive controls of PCI DSS 3.2.1, they had to propose a compensating control. They then had to justify it with a risk assessment and a compensating control worksheet (CCW). This option still exists in PCI DSS 4.0, but now a customized approach is available.
The customized approach retains the risk evaluation requirement. Instead of compensating for the lack of a control, however, the customized approach allows the merchant or service provider to document a different control based on the objective of the control being customized.
The customized control will then be assessed by the assessor in place of the control being substituted, allowing for long-term customization rather than a shorter-term “compensating” control. Note: Not all controls are eligible for the customized approach.
3. Expanded Risk Analysis Guidance
PCI DSS 4.0 includes a sample targeted risk analysis template (PCI DSS Appendix E2) that provides expanded guidance for conducting risk analysis. It’s not required, but the template does provide more information on how the PCI Security Council expects a risk analysis to be conducted.
4. “Significant Change” Clarification
There are now descriptions and examples of what a significant change is in PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements. This is particularly important because of the many interim changes, adaptations, and updates ─ especially in the US mobile payments industry.
Access privileges be reviewed at least once every six months
Vendor or third-party accounts be enabled only as needed and monitored when in use
Multi-factor authentication (MFA) be used for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment
Passwords for accounts used by applications and systems be changed at least every 12 months and upon suspicion of compromise
Strong passwords be employed for accounts used by applications and systems; these passwords must contain at least 15 characters, including numeric and alphabetic characters; and prospective passwords must be compared against the list of known bad passwords
Expanded Applicability of Data Encryption PCI DSS v4.0 requires encryption of cardholder data on trusted networks. The requirement for data discovery to locate all sources and locations of cleartext primary account numbers (PAN) will be at least once every 12 months and upon significant changes to the cardholder data environment or processes.
Increased Legal Risks
One of the big changes – and repercussions – of PCI DSS 4.0 is its increased focus on risk assessments. Under PCI DSS v4.0, organizations may have to disclose more information about their security programs to qualified security assessors (QSAs) than under previous versions of the standard. PCI security assessments aren’t conducted under privilege, so organizations should be prepared for more scrutiny of their assessment documents if a security incident occurs.
It will be critical that all statements made in risk analyses be accurate, verifiable, and consistent with other disclosures. Customized controls should defensibly meet the defined customized approach objectives. Documentation must reflect actual, provable, and current security practices.
Get Ready with US Signal
The complexity of the new requirements in PCI DSS 4.0 and the time required to implement the changes means transitioning to the new standard may not be easy for many organizations. Start planning your transition now instead of waiting until the current PCI DSS version is retired.
A good first step would be conducting an unofficial assessment against the PCI DSS 4.0 standard to identify compliance gaps, needs, and opportunities. Engaging legal counsel and other consultants in this assessment and other aspects of the transition is also recommended to ensure more comprehensive consideration of risks and exposure and ensure a successful transition.
US Signal is ready to help as well. While your organization is ultimately responsible for meeting its PCI DSS requirements, US Signal can help ease the burden.
US Signal maintains a well-governed, high-quality IT infrastructure that meets the demands of a wide range of governing agencies, including PCI DSS. We are independently audited for PCI DSS compliance ourselves, and understand what it takes. We also have an on-staff compliance officer and executive security team, and will provide audit documentation and other assistance as appropriate.