In March 2022, the PCI Security Standards Council (PCI SSC) published PCI Data Security Standard PCI DSS 4.0. If your organization stores, transmits, or processes credit or debit cardholder information, then this new standard (and this blog) applies to you, because every part of your cardholder data environment (CDE) will be “in-scope,” and subject to its guidelines.
What is PCI DSS?
Since 2004, PCI DSS has been a global business standard that specifies technical and operational baseline requirements to protect payment data, cardholder information, and financial accounts.
Looking for more on PCI DSS and what it means for you? Check out our Comprehensive Guide.
PCI DSS 4.0 is the “most transformative update” since the standard’s initial release, for many reasons, including mass migration to the cloud, the threat of insider attacks, and the overall pandemic-induced increase in online commerce – and the hacker techniques designed to exploit it.
Collaborative Input for PCI DSS 4.0
According to PCI SSC Executive Director Lance Johnson, businesses have had an extraordinary impact on the development of this update, following three years of feedback from the global payments industry, including 200+ organizations and 6,000+ suggestions.
PCI SSC SVP Emma Sutcliffe adds that version 4.0 will be more responsive to the “dynamic” nature of payments and digital threats, by offering businesses the opportunity to achieve compliance via “customization” that is able to accommodate diverse technologies and implementations.
This new, more flexible strategy considers the “intent” of a PCI DSS objective, and lets organizations design their own security controls to meet it, as well as how frequently they must perform certain activities related to information security. In fact, most organizations are somehow unique, to include their level of risk exposure, and this new path to compliance reflects that reality.
What are the New PCI DSS 4.0 Requirements?
At 356 pages, the new version of the standard is over twice as long as its predecessor. Here, we’ll just mention the highlights.
PCI DSS version 4.0 has the following six goals:
- Build and Maintain a Secure Network and Systems
- Protect Account Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Twelve requirements underpin these six goals. For details on each goal and every requirement, head over to our Comprehensive PCI DSS Guide.
PCI DSS 4.0 Changes and Improvements
In order to properly protect payment data and sensitive cardholder information – especially in the era of cloud computing – organizations must have effective solutions for identity and access management (IAM), multi-factor authentication (MFA), encryption, and more.
Therefore, PCI DSS 4.0 has taken inspiration from the principles of “zero-trust” computing (which is similar to the VGS “Zero Data” philosophy), and has incorporated guidance from the National Institute of Standards and Technology (NIST) covering digital identities, authentication, and life cycle management.
Here are just a few PCI DSS 4.0 changes to note:
- Expanded PCI DSS 4.0 password requirements: Improved password length and complexity, and more frequent password changes for application and system accounts
- Expansion of Requirement 8 (Identify and authenticate access to system components)
- Expanded firewall terminology to support a broader range of technologies
- MFA implementation for all access to the CDE
- Improved management of cryptographic keys and certificates
- Review of access privileges every six months
- Increased limitation and monitoring of vendor and third-party accounts
- More frequent data discovery to locate sensitive information in cleartext
- Annual review and update of security awareness programs.
When Does PCI DSS 4.0 Go Into Effect?
The PCI DSS 4.0 release date was March 31, 2022, but the current version (v3.2.1) will remain active until March 31, 2024 — the PCI DSS 4.0 effective date. Major updates to a global standard do not happen overnight. The PCI DSS 4.0 timeline is designed to give organizations time to understand and implement the changes. During the transition period, you may assess your organization against either version.
Beware: the transition period is no time for complacency! For any organization in the payment space, PCI DSS 4.0 compliance will impact every facet of your work, from policy planning, to technical triage, and product development. Always remember that security, privacy, and compliance are most effective – and affordable – when they are baked into everything you do, from the ground up, and not simply used to paper over cracks in a fundamentally broken system.
Another bit of tried and true advice is to fulfill all of the requirements of previous PCI DSS iterations, and then write a “gap assessment” that clearly shows what you are missing, before moving on. For example, how will 5G affect your compliance? If you want to be a leader in this field, you need to know. A final truism is that the more in-scope systems you have, the bigger is your CDE – and the more time, money, expertise, and effort you will spend to secure and manage it.
Innovative Solutions for meeting PCI DSS Version 4.0
Compliance and security managers have a lot on their plates. Simultaneously, they need to lighten workloads, cut costs, minimize scope, achieve compliance, improve the customer experience (CX) – all while increasing security.
The traditional path to success requires mastering the daunting discipline of information security, or InfoSec, including its bewildering array of strategies and tactics, from network segmentation to encryption, so that you minimize the systems which require PCI compliance, and protect your data even in the event of a breach.
An future-proof strategy is to find a partner who can securely store, protect, and process your payment data. For example, Very Good Security (VGS) offers innovative and automated Data Security as a Service (DSaaS) solutions that allow you to properly manage any type of sensitive data, including personally identifiable information (PII) and identity data.
VGS offers an integrated compliance framework that allows your business to avoid ever touching sensitive data (such as a Primary Account Number (PAN) or Social Security Number (SSN)), and thereby helps to descope your environment.
Experience how VGS fundamentally solves PCI differently than other point solutions and how the VGS Zero Data® Platform not only streamlines PCI DSS v3.2.1, but can put you on a futureproof path to 4.0 compliance as well.
PCI DSS v4.0 Resources
Video: “First Look at PCI DSS v4.0”