PCI DSS 4.0 – Compliance Mandate

It’s been two years since the new version of PCI DSS, Version 4.0, was released. Payment card industry members have just over a year to comply with the new requirements, which require 64 new requirements to be implemented by the end of March 2025 at the latest. 

The new version is the last authorized version to be released by the PCI DSS industry, as the previous version, Version 3.2,1, was officially retired from the industry in March 2024. Since 2022, merchants, 3POs, and card processors have been actively working to comply with PCI DSS Version 4.0 requirements, which must be implemented before the first annual PCI DSS PCI DSS security assessment takes place. 

Objectives 

One of the goals of v4.0 is to continue to meet the security needs of the payment industry, because “security needs to evolve as threats evolve.” The document includes examples:

Expanded multi-factor authentication requirements.
Updated password requirements.
New e-commerce and phishing requirements to combat ongoing threats.

Another goal of PCI DSS 4.0 is to promote ongoing security process because “Cybercriminals never sleep, so continuous security is critical to protecting payment information.”  

Examples:
Roles and responsibilities are divided for each requirement.
Additional guides to help industry members better understand how to implement and maintain cybersecurity.

The third goal is to increase flexibility for organizations using different methods to achieve security goals. 

Examples:
Enabling group, shared and general accounts.
Targeted risk analysis that allows members to determine the frequency of performing specific activities.
A new method for implementing and validating PCI DSS requirements, called the Tailored Approach, provides one more option for organizations using innovative methods to achieve their security goals.

The fourth goal mentioned in the document is to improve validation methods, procedures and reporting to increase transparency and accuracy.  

Key Steps to PCI DSS 4.0 Compliance Implementing  

PCI DSS 4.0 requires four actions to improve the security of payment account information and protect customers.  

Annual security risk assessment.  

This activity includes finding all payment account information within your organization and an inventory of all IT assets and business processes related to payment processing. This includes analysing processes and resources to identify vulnerabilities that could expose payment account information to hacking and other unauthorized access, and then implementing or updating the necessary controls.  

These activities culminate in the completion of a formal PCI DSS 4.0 risk assessment, which is required annually. 

Vulnerability remediation.  

This phase includes identifying and correcting gaps in information security controls, addressing vulnerabilities identified in the assessment phase above, and implementing secure business processes. It also requires the safe removal of any payment information stored unnecessarily or after use. With V4.0’s 64 new security requirements, most organizations find more vulnerabilities than previous assessments. 

Reporting assessment results.  

This activity requires you to document your assessment and repair data and submit an Official Report of Compliance (ROC) to a compliance entity, which is usually the receiving bank or your payment card brand. Smaller organizations that meet the criteria can report their results in a Self-Assessment Questionnaire (SOC). A Certificate of Conformity (AOC) is also required by most dealers. 

Monitoring and maintenance.  

This is an ongoing activity that includes (1) continuous monitoring of the security measures implemented to protect your organization’s payment account information and (2) active and up-to-date maintenance of these controls in accordance with PCI DSS 4.0. Merchants. and other payment card operators must repeat these steps annually. Tier 1 and Tier 2 merchants handling more than 1 million transactions per year must hire a Qualified Security Assessor (QSA) to conduct annual assessments and prepare required compliance reports. Level 3 traders can usually complete self-assessments using a formal self-assessment questionnaire. Required certificates of compliance confirm the results of assessments. 

All merchants must submit a quarterly vulnerability report to demonstrate compliance. Regular internal and external scans are very useful to maintain a secure perimeter and effectively protect cardholder information. Anything less than perfect execution is simply not worth the risk.