compliance
credit card on top of a digital background

8 Things You Need to Know About PCI 4.0

PCI DSS Transition

The PCI Security Standards Council updated the Payment Card Industry Data Security Standard (PCI DSS) on March 31, 2022, to facilitate higher levels of security for cardholder data.

As of March 31, 2024, the transition of PCI DSS 3.2.1 to PCI DSS 4.0 went into full effect. It is vital that your organization is using this transition period to prepare for the full rollout of PCI DSS 4.0, because some of the upcoming changes could have a significant impact on your organization’s operations.

Here are the latest updates in PCI 4.0 that we believe are most likely to impact the way you do business.

  • Robust Authentication: To fortify authentication measures, PCI DSS 4.0 mandates that all users must have 12-character passwords. This update aims to promote stronger password practices and mitigate the risk of brute-force attacks. Additionally, multifactor authentication (MFA) is now required for all access points to the cardholder data environment.
  • Strengthened Network Controls and Ruleset Reviews: PCI DSS 4.0 emphasizes the significance of network configurations and controls during ruleset reviews. Your organization must conduct these reviews every six months to verify the effectiveness and integrity of your network controls. By proactively reviewing and fine-tuning rulesets, you can better detect and respond to potential security vulnerabilities and intrusions, safeguarding cardholder data.
  • Increased Clarity for Formal Roles and Responsibilities: Explicit definition, documentation, and assignment of roles and responsibilities are essential. This includes personnel approval to strengthen accountability and effective management of security controls.
  • Continuous Control Monitoring and Scoping: PCI DSS 4.0 stresses the importance of periodically evaluating the operational effectiveness of security controls. This helps identify any potential weaknesses or gaps in security measures. Your organization must establish processes to verify that controls are functioning as intended and being monitored appropriately. Furthermore, scoping documents must be created and maintained annually, or if a significant change to the environment has occurred.
  • Enhanced AV Scanning Frequency: Your organization will be required to conduct periodic vulnerability scans based on risk analysis. Risk-based scanning enables your organization to prioritize your resources and focus on areas that pose a higher risk to cardholder data. Additionally, the standard now includes the monitoring of removable media. This ensures that potential avenues for data exfiltration are closely monitored and controlled.
  • Cryptography and Encryption: PCI DSS 4.0 introduces changes to cryptography and encryption. Formally, merchants were permitted to use disk-level encryption to protect any kind of nonremovable media. PCI DSS 4.0 now prohibits this practice and suggests encrypting at the file-level. This change is attempting to secure entities against zero-day attacks. Additionally, organizations may now only use a keyed cryptographic hash method and encrypt or protect all stored sensitive authentication data.
  • Comprehensive Access Reviews: PCI DSS 4.0 places increased scrutiny on service and system accounts. You are required to review and justify the privileges associated with these accounts based on the level of access required. Furthermore, the standard explicitly prohibits the practice of hardcoding passwords, which reduces the risk of unauthorized access and strengthens the overall security posture.
  • Updated Logging Requirements: Manually reviewing logs has been deemed too time-consuming and prone to error by the council, your organization is no longer permitted to manually review logs and therefore must implement automated review tools. This change aims to help promote your organization’s integration of AI in analytics and security. Additionally, all organizations, not just service providers, are now required to detect, alert, and address failures of critical security control systems.

PCI DSS 4.0 introduces crucial updates that address emerging threats and reinforce security practices in handling cardholder data. By implementing stronger password requirements, strengthening network controls and ruleset reviews, periodically evaluating security controls and vulnerabilities, managing inventory, and reviewing access on service and system accounts, your organization can better protect sensitive payment card information.

The rollout of PCI DSS 4.0 is a huge opportunity to protect your customer’s sensitive payment card information. However, with great opportunity comes great responsibility, and meeting the new PCI DSS 4.0 requirements might seem like a daunting task for your organization.

We highly suggest familiarizing yourself with the new requirements and see how your current PCI practices align with the new requirements. But you don’t have to do it all alone. ProCern Technology Solutions has a team of experienced PCI experts who are experts when it comes to compliance with the PCI standards. Reach out to us today to find our more.