Photo of Mikey Anderson

Mikey Anderson

Product Marketing Manager

26th June 2023

In the ever-evolving landscape of cyber security, organisations must continuously adapt to emerging threats and enhance their security measures. One way to ensure that sensitive cardholder data is properly protected is to comply with the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is a cyber security standard supported by the leading payment processing companies. Its goal is to protect cardholder information, and although it isn’t a legal requirement, it still applies to all entities handling card data. Even if your business outsources payment processing to a third party, your acquirer or payment provider can still hold you responsible for data breaches and issues fines for non-compliance.

In March 2022 the PCI Security Standards Council (PCI SSC) released PCI DSS v4.0, a significant update to the standard that supersedes the existing version - v3.2.1, which was first released in May 2018. For most organisations this means there are 53 new requirements to comply with. If your organisation is a service provider then there are an additional 11 requirements to comply with, bringing the total to 64. Aside from the new additions, there have also been many other alterations and clarifications to other sub-requirements.

Thankfully, for most of the new requirements there is a grace period to implement the necessary changes. 13 requirements are effective immediately for any new v4.0 assessments, however the remaining 51 will simply be best practices until March 31st, 2025, after which they will become fully effective. This should give ample time for businesses to understand and implement the changes to comply with the new version.

To help you make sense of it all, here’s five key changes that PCI DSS v4.0 introduces and what impact they could have on your organisation.

1. Enhanced focus on vulnerability management

PCI DSS v3.2.1 contained many different requirements to ensure that organisations were properly identifying and remediating vulnerabilities. These could be threats found from vulnerability scans or penetration tests.

Instead of simply detecting and fixing critical and high-risk vulnerabilities, PCI DSS v4.0 requirement 11.3.1.1.a now mandates that organisations periodically address all other vulnerabilities (such as medium, low or informational risks). This change is designed to address the fact that all vulnerabilities, regardless of their criticality, are potential attack vectors and should be managed effectively.

It is common for modern cyber attacks to use ‘vulnerability chaining’, which is where an attacker will leverage multiple vulnerabilities to gain access to a system or network, rather than a single exploit on its own. The update to this requirement addresses the importance of prioritizing and remediating all vulnerabilities to prevent such attacks.

2. Additional malware and phishing controls

PCI DSS v4.0 introduced a range of additional sub-requirements related to the protection of systems and networks from malware. For example, 5.3.3 is a new addition that requires organisations to use an anti-malware solution to automatically scan removable media such as USB sticks when they are connected or logically mounted.

5.4.1 is another new sub-requirement that is designed to help protect staff from phishing attacks, stating the need to “train personnel to recognize and report phishing emails”, as well as deploy anti-phishing mechanisms to detect and block attacks. This sub-requirement aims to ensure that malicious emails are identified and handled effectively, thus reducing the chances of malware being deployed via phishing attacks.

3. Improved security awareness training

PCI DSS Requirement 12.6 mandates that security awareness education should be an ongoing activity. While PCI DSS v3.2.1 did already have this requirement, v4.0 has introduced additional sub-requirements that provide specific details about how this should be implemented.

For example, 12.6.2 now states that organisations must review their security awareness training program at least once every 12 months, and it should be continually updated to address any new threats or vulnerabilities that could affect the cardholder data environment (CDE).

Sub-requirement 12.6.3 also now incorporates much more detail about the content of the security awareness training itself. PCI DSS v3.2.1 already mandated that users should be training upon hire and at least annually, however v4.0 specifically now requires this training program to include information about new vulnerabilities, phishing attacks, social engineering and the acceptable use of end-user technologies.

These are welcome changes to PCI DSS, as it is important to ensure your staff are always your best first line of defense. The additional requirements and alterations to existing guidance can help your business to build a robust training program that keeps your staff and cardholder data protected from existing and new threats.

4. Stronger authentication measures

Authentication and authorization mechanisms play a crucial role in preventing unauthorized access to sensitive data. One way of achieving this is with multi-factor authentication (MFA), which was not referenced in PCI DSS v3.2.1.

PCI DSS v4.0 places greater emphasis on stronger authentication controls and specifically introduces new requirements for implementing MFA. Requirement 8.4 in PCI DSS v4.0 mandates the use of MFA for all access to the CDE and 8.5.1 requires businesses to implement MFA systems properly. Both of these requirements will help organisations prevent unauthorized access to their systems and protect their cardholder data.

While MFA is not a silver bullet when it comes to securing access to data, when combined with many of the other requirements of PCI DSS it becomes a strong part of a multi-layered security strategy.

5. Different approaches to compliance

For PCI DSS v3.2.1, organisations only had one choice when it came to complying with the requirements – one defined approach with specific wording and set testing criteria. This meant the standard was somewhat inflexible, especially for organisations with bespoke systems or working practices.

PCI DSS v4.0 has addressed this challenge by introducing two different approaches that organisations can choose from to stay compliant:

Defined approach

This approach is the traditional way to comply with PCI DSS, using the exact requirements and testing criteria provided by the PCI SSC. This is a straightforward approach that makes it easy for organisations to follow the security controls outlined in the standard and for assessors to follow defined testing procedures.

This approach is great for organisations that require additional guidance for complying with PCI DSS, especially if they are just starting out on their information security journey or have not been PCI compliant before.

Customized approach

The customized approach was designed to help support “innovation in security practices”, and it enables businesses to have greater flexibility to show how their security controls meet PCI DSS requirements. Instead of needing to drastically adapt their approach simply for the sake of complying with specific wording, it is now possible for organisations to demonstrate how they meet the requirements in other ways, without strictly following the defined approach.

While it was still possible to use Compensating Controls to circumvent any issues, this should be welcome news for businesses that already have a mature information security and risk management program in place. When it comes to testing, if you have a customized approach for any of the PCI DSS requirements your assessor will define tailored testing procedures based on the specific control and its objective.

In Summary

PCI DSS v4.0 represents a significant step forward in strengthening cyber security measures for organisations handling sensitive cardholder data. Overall, the changes to the requirements require businesses to implement and maintain a robust cyber security program that is more closely aligned to modern-day cyber threats. V4.0 also provides more flexibility to organisations with a choice of approaches that can be taken to stay compliant.

With so many additions and changes compared to PCI DSS v3.2.1, we’d advise getting started with your v4.0 compliance journey as soon as you can to give yourself ample time to implement everything before the 31st March 2025 deadline. Some requirements may be quick fixes to your existing processes and infrastructure if you’re already v3.2.1 compliant, while others could be much more complex projects.

For a complete overview of the changes from PCI DSS v3.2.1 to v4.0 you can find out more on the PCI SSC website here.

Comply with PCI DSS today

Find out how Defense.com can help you stay compliant and strengthen your security posture.