PCI DSS v4.0 has arrived! How the changes affect you and your organization

By Dan Yarger
August 15, 2022

The Payment Card Industry Security Standards Council released its updated version of its Data Security Standards on March 31, 2022, its first update since version 3.2.1 in 2018. PCI DSS v4.0’s larger goals include:

  • Encouraging security practices to evolve as threats change
  • Promoting security as a continuous process
  • Allowing flexibility for organizations to achieve security objectives with different methods

The council allowing for flexibility does not mean that everything is a free-for-all. On the contrary, the new standards provide stricter guidelines for certain initiatives and tighter definitions for timelines that will make continuous vigilance even more important—not just at audit time, but throughout the year. Keep reading to learn more!

Multifactor Authentication – more restrictions, focus on how it’s configured

The PCI DSS v4.0 includes expanded requirements for multi-factor authentication (MFA). In the new data standards, MFA is required for all non-console access into the cardholder data environment (CDE) for personnel with administrative access. The goal is to reduce the probability that a malicious actor can gain access to CDE systems by requiring authentication via multiple means. These means should include at least two of the following three:

  • Something you know, such as a password or passphrase
  • Something you have, like a smart card or token device
  • Something you are, for example, a biometric element like a fingerprint.

The guidelines also specify that the length of a password or passphrase should increase from 7 to 12 characters and must include both numbers and alphabetical characters. This expanded use of MFA could create issues related to both cost and complexity for your organization. By reviewing your options now, you will have the time and space to choose the best option for your team.

Mechanisms against phishing attacks

Phishing attacks will continue to pose a threat for organizations as long as humans have computer access. Phishing attacks grow more sophisticated and remain relentless—so your efforts to protect against them must grow and remain too.

You will need automated anti-phishing mechanisms to meet the requirements and to keep the cardholder information you hold more secure. Parameter’s Advisory Services can help you choose the anti-phishing platform that is the right fit for your organization.

More strictly defined time periods

In the new PCI standards, timelines are more specifically designed and thus stricter. Whereas, before, an annual scan could mean doing the scan in January of one year and December of the next. That is to say, the time between activities was not specified. Now, an annual scan means that it must take place on the same day of every year.

Likewise, a company looking to meet past PCI standards might have conducted a quarterly action in January of the first quarter and May of the second. Now, a quarterly scan must happen: once every three months; between 90 and 92 days; or the nth day of every three months. In a similar vein, actions required daily could be interpreted as needing to happen every business day—to the exclusion of nights, weekends, and holidays. The new standards in PCI v4.0 define daily as every calendar day to avoid confusion or interpretation. For activities required periodically, the organization hoping to demonstrate compliance must submit its own specific definition for how frequently it will complete these activities. The organization can fail the assessment if it is not completed by the timeline.

What are the annual PCI v4.0 requirements?

Organizations should update their PCI DSS scope frequently (at least annually) to help ensure that the PCI DSS scope continues to align with the organization’s current business objectives and processes. Annual requirements for PCI v4.0 include identifying:

  • all data flows for the various payment stages
  • all locations where account data is stored, processed, and transmitted
  • all system components in the CDE, connected to the CDE, or that could impact security of the CDE
  • all segmentation controls in use and the environments from which the CDE is segmented, or justifying why environments are out of scope
  • all connections from third-party entities with access to the CDE
  • updates needed to all data-flow diagrams based on PCI requirements
  • all places where third-party data flows and connections to the CDE are needed in the scope

A policy advisor can help you craft these policies and procedures—not only to prepare you for an annual PCI audit but to keep your cardholder data safe year-round.

When should my organization worry about PCI v4.0 rollout?

No matter your company size, you will need to adapt to the new timeframes. For larger teams, vacations, sick time, and meetings for your leadership will make running more regular compliance program more challenging. Smaller teams will have to put programs in place to track. Mid-sized organizations will have trouble bridging this gap. Staying vigilant is key to sticking to compliance requirements.

By starting now, you will have a leg up on the competition and the bad actors and will have the appropriate amount of time for review and implementation. Begin with a gap analysis to determine how ready your organization is for the new changes, where you will need adjustments and improvements, as well as how to prepare for them. It takes to build up inertia in decision making, budgeting, and procurement to meet the new requirements.

Fill out the form below to get your PCI DSS v4.0 questions answered by one of our Certified DSS-QSAs or Advisors.

Director of Information Security Assessment Services

Dan started his career at the age of 14, serving as IT support for his dad’s bookstore. Dan graduated from Illinois State University with a bachelor’s degree in Telecommunications Management and worked in telecommunications out of college. He later became a contractor for the US Air Force conducting compliance and policy work, leading a small team of contractors by the end of his five years there. He gained more experience in security, surveillance, and access controls at the Federal Reserve Bank of St. Louis before starting at Parameter.

Dan combines his experience in compliance, security, and team leadership to serve Parameter Security in a variety of capacities. As the head Qualified Security Assessor (QSA), Dan helps clients align to the Payment Card Industry Data Security Standard and oversees a team of assessors. He also conducts forensic investigations, both at home and abroad.

Outside of work, Dan is active at church, serving as the unofficial head of security and official worship tech minister, working lights, sound, and live video streaming. Dan has also worked at the Haunted Mansion and does his best to visit Disney every year with his wife.

Leverage Our InfoSec Expertise
Our Team + Your Team = Stronger Security Program