The Next Chapter: What's New in PCI DSS 4.0?

Launched in 2006, the Payment Card Industry Data Security Standard (PCI DSS) has been a cornerstone for securing cardholder data. PCI DSS 4.0 is the most recent update that was released on March 31, 2022, and marks a significant shift in requirements to adapt to the evolving landscape of e-commerce and cyber threats. In this article, we’re exploring the latest version of PCI DSS and the key differences between the older version 3.2.1 and the new 4.0.

What is PCI DSS 4.0?

PCI DSS 4.0 aims to maintain continuous security and introduce new methods to meet evolving requirements in the payment card industry. The 12 primary requirements from the previous version form the foundation but have undergone updates, restructuring, and the addition of new guidance. Key changes include:

• Increased flexibility for organizations to showcase their utilization of different methods to achieve security objectives
• Additional authentication controls in requirement 8 to implement multi-factor authentication for all access into the cardholder data environment
• Updated password requirements, including increasing password length requirement from 8 characters to 12
• Changing requirements around shared, group, and generic accounts
• Clearly defined roles and responsibilities for each requirement
• Clarification on the prevention of copying or relocating of the primary account number (PAN) when employing remote-access technologies
• New requirements to better secure payment pages and prevent ongoing threats, such as phishing, e-commerce, and e-skimming attacks

PCI DSS 4.0 vs. PCI DSS 3.2.1: Key Differences

Comparing the two versions reveals several notable distinctions:

Revised Scope to Ensure Continuous Security:

• PCI DSS 3.2 defines the scope through requirement details
• PCI DSS 4.0 emphasizes continuous monitoring and the dynamic nature of the scope

Focus on Security Outcomes:

• PCI DSS 3.2 provides prescriptive security controls.
• PCI DSS 4.0 focuses more on security outcomes, offering flexibility.

Stronger Authentication Methods:

• PCI DSS 3.2 introduces MFA for specific access.
• PCI DSS 4.0 expands MFA, recognizing evolving authentication methods.

Enhanced Software Security Requirements:

• PCI DSS 3.2 introduces Secure Software Lifecycle (SLC) requirements.
• PCI DSS 4.0 further enhances software security requirements.

Continuous Penetration Testing:

• PCI DSS 3.2 requires penetration testing on a yearly basis.
• PCI DSS 4.0 recommends continuous penetration testing instead of annually.

Clarity on Encrypted Data:

• PCI DSS 3.2 addresses encrypted data but provides limited guidance.
• PCI DSS 4.0 offers precise guidance on managing encrypted data.

Greater Vendor Responsibility:

• PCI DSS 3.2 outlines service provider responsibilities.
• PCI DSS 4.0 extends service provider responsibilities, emphasizing documentation and change management.

Enhanced Reporting Requirements:

• PCI DSS 3.2 outlines specific reporting requirements.
• PCI DSS 4.0 enhances the reporting requirements by focusing on evidence-based reporting.

Implementation Timeline and Transition:

PCI DSS 4.0, effective since March 31, 2022, coexists with the previous version, PCI DSS 3.2.1, until March 31, 2024. Organizations have this transition period to review changes, update templates, and implement new controls.

On March 31, 2024, PCI DSS 3.2.1 retires, making PCI DSS 4.0 the sole active version. A grace period until March 31, 2025, is provided for adopting future-dated requirements identified in v4.0.

After March 31, 2025, these requirements become mandatory for PCI DSS assessments.

Implications of Non-Compliance:

Non-compliance with PCI DSS 4.0 by the stipulated deadlines incurs financial penalties. The Council has a tiered fine structure, with amounts increasing based on the duration of non-compliance.

Beyond financial penalties, non-compliant organizations risk losing essential contracts and business relationships, affecting their ability to accept card payments.

In summary, PCI DSS 4.0 introduces crucial changes to enhance security and adapt to the dynamic landscape of the payment card industry. With data security being our number one priority, Opn Payments has been compliant with PCI DSS 4.0 since 2023. Learn more about how we prepared for the transition from PCI DSS 3.2.1 to PCI DSS 4.0 in this interview with our security manager.

‍