It’s official! PCI DSS v4.0 has made its debut. Compliance teams may find themselves feeling a mix of anticipation and déjà vu as they embark on the PCI DSS process once again.
Making the transition toward compliance with PCI DSS 4.0 may seem daunting at first, but it doesn’t have to be. By taking a comprehensive approach and using up-to-date tools and resources, you can enhance your security position and meet all necessary PCI DSS version 4.0 compliance requirements.
PCI DSS Version 4.0 Timeline
The PCI DSS framework has undergone several revisions and updates since its initial release in 2004. The most recent major PCI compliance update, version 4.0, was released in March 2022.
PCI DSS current version, Version 3.2.1, is being phased out and will be replaced by the newly-released version, PCI DSS version 4.0, in March of 2024. On that date, PCI DSS v4.0 will become the only active version of the standard.
It’s important to note that some of the new PCI DSS v4.0 requirements will only become mandatory after March 31, 2025. Until then, they are deemed best practice. This leaves companies sufficient time to prepare for them.
PCI DSS 4.0: What’s New?
PCI DSS 4.0 brings a wave of changes that reflect a more customized, risk-based approach to security. “PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” says Emma Sutcliffe, SVP, Standards Officer of PCI SSC. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”
Here is a broad explanation of the modifications:
1. Outcome-Based Approach
PCI DSS 4.0 shifts the focus from rigid, prescriptive security requirements to an outcome-based model. This allows organizations to tailor their security controls to their unique environments while achieving their intended security objectives.
2. Customized Validation
One of the most significant changes in PCI DSS 4.0 is the introduction of a novel approach that permits organizations to tailor their compliance measures. Unlike previous versions that mandated strict adherence to defined requirements, this latest iteration offers flexibility and customization. By leveraging this approach, businesses can more effectively assess and prioritize their efforts to mitigate risks.
3. Addressing Newly Emerged and Evolving Risks
PCI DSS 4.0 is attuned to the dynamic landscape of emerging threats and technologies. It ensures that organizations remain up-to-date with the latest security measures and best practices, safeguarding against evolving vulnerabilities.
By introducing these changes, PCI DSS 4.0 equips organizations with a more adaptable and robust framework for securing payment card environments. This flexibility empowers businesses to stay ahead of the evolving threat landscape.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What Are the Updated Primary Security Requirements?
The PCI framework outlines common-sense protection measures aligned with industry best practices. It consists of twelve high-level requirements divided into six categories. The revised PCI DSS 4.0 summary of changes to security requirements are as follows:
Build and Maintain a Secure Network and Systems
- Install and Maintain Network Security Controls.
- Apply Secure Configurations to All System Components.
Protect Cardholder Data
- Protect Stored Account Data.
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
Maintain a Vulnerability Management Program
- Protect All Systems and Networks from Malicious Software.
- Develop and Maintain Secure Systems and Software.
Implement Strong Access Control Measures
- Restrict Access to System Components and Cardholder Data by Business Need to Know.
- Identify Users and Authenticate Access to System Components.
- Restrict Physical Access to Cardholder Data.
Regularly Monitor and Test Networks
- Log and Monitor All Access to System Components and Cardholder Data.
- Test the Security of Systems and Networks Regularly.
Maintain an Information Security Policy
- Support Information Security with Organizational Policies and Programs.
What Are the PCI DSS Version 4.0 Compliance Levels?
PCI DSS 4 changes have not impacted the categorization of compliance levels. As with previous versions, PCI Version 4.0 compliance levels are based on the annual volume of credit or debit card transactions an entity handles, each associated with specific requirements:
- Level 1: Entities processing over six million annual transactions must meet all twelve requirements, requiring an external audit by a Qualified Security Assessor (QSA).
- Level 2: Businesses processing one to six million transactions must conduct an annual Self-Assessment Questionnaire (SAQ) and may need quarterly vulnerability scans.
- Level 3: Merchants handling 20,000 to one million e-commerce transactions annually follow a similar process as Level 2 but with potential quarterly scans.
- Level 4: Merchants conducting fewer than 20,000 e-commerce transactions or up to one million in-person transactions yearly follow an annual assessment process and may require quarterly vulnerability scans.
Requirements Based on Level
To become PCI DSS compliant, determine which standards to meet first. Then, assess your existing program to see if your data protection is enough and where you may need to make changes to comply with necessary security requirements.
| PCI DSS | ||||||
| Level: | To Comply: | Components: | Which type of report: | Number of Questions | (Approved Scan Vendor) ASV Scan needed: | |
| Level 1 Merchant & All Service Providers (who process over 300k+ transactions) | Must complete an external audit with a Report on Compliance (RoC) performed by a Qualified Security Assessor (QSA) and file with acquiring bank | RoC & AoC | RoC | Full PCI DSS – all 12 requirements (289 Qs) | Yes | |
| Level 2 Merchant | Can complete an internal Self-Assessment Questionnaire (SAQ) and submit it together with an Attestation of Compliance (AoC) for compliance to acquiring bank(unless acquiring bank requests an RoC) | The SAQ (which includes questions correlating to PCI DSS requirements) and an AoC | SAQ A | 34 | Yes | |
| SAQ A-EP | 144 | Yes | ||||
| SAQ B | 31 | No | ||||
| Level 3 Merchant | SAQ B-IP | 55 | Yes | |||
| SAQ C-VT | 59 | No | ||||
| SAQ C | 130 | Yes | ||||
| Level 4 Merchant | SAQ P2PE | 25 | No | |||
| SAQ D MER | 239 | Yes | ||||
| SAQ D SP | 267 | Yes | ||||
Self-Assessment Questionnaire in PCI DSS Version 4.0
Organizations falling under levels 2, 3, or 4 need not undergo an external audit for PCI DSS compliance. Instead, they are required to complete a Self-Assessment Questionnaire (SAQ). SAQs serve as validation tools for merchants and service providers who are not expected to conduct on-site assessments. There exist nine different SAQs for various merchant environments. To determine the appropriateness of an SAQ and which one to use, payment brands or acquiring banks must be contacted.
As companies prepare for PCI DSS version 4, the reassuring news is that the SAQ categories remain unaltered. If your payment avenues haven’t undergone significant modifications, you’ll likely stick with your current SAQ category. The SAQ names you’re accustomed to remain intact, and there are no introductions of new SAQ classifications.
For those tackling SAQs, get ready for some amendments to compliance prerequisites. Several extra controls have joined the mix in version 4.0. These include ASV scanning (previously non-mandatory) and heightened monitoring of servers and code–fresh requirements for e-commerce merchants.
Also, topics like phishing prevention, refined TLS management, anti-phishing measures, extended password criteria, universal MFA application within the Cardholder Data Environment (CDE), and robust user account management are woven into the revamped SAQ requirements.
Transitioning to PCI DSS 4.0: Where To Start
With the clock ticking to the PCI DSS v4.0 effective date, we’ll provide a step-by-step guide to help you navigate the process while maintaining compliance and enhancing your security posture.
Step #1: How About Right Now?
The most critical step in your PCI DSS v4.0 journey is to start now. The phasing out of PCI DSS v3.2.1 is happening as you read this blog. The sooner you learn what PCI DSS v4.0 entails for your organization, the quicker you can plan and prioritize the work needed for a seamless transition.
Step #2: Keep an Eye On Your Security Controls
While adapting to PCI DSS v4.0, it’s vital to diligently maintain your v3.2.1 security controls. Continue monitoring and preserving all your existing PCI DSS security controls, even as you concentrate on implementing the new requirements of v4.0.
Step #3: Understand the New Requirements
Understanding the nuances of PCI DSS v4.0 begins with a deep dive into the “PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes.” This resource, available in the PCI SSC Document Library, offers a concise overview and descriptions of the disparities between v3.2.1 and v4.0. It also includes a “Summary of New Requirements” table, cataloging the new requirements, their relevance, and effective dates.
Once you’ve absorbed the v4.0 requirements, align them with your current security controls and assess their impact on your organization. You might discover that you already meet some v4.0 requirements, enabling you to prioritize your transition efforts where they are most needed.
Step #4: Select the Right Validation Approach
When transitioning to PCI DSS v4.0, choosing the best validation approach that suits your organization is crucial. Two options are available: the predefined approach and the customized approach. The predefined approach adheres to traditional methods of implementing and validating PCI DSS requirements, following the Standard’s stipulated requirements and testing procedures. The customized approach empowers organizations to design custom security controls to fulfill customized approach objectives. If you opt for the customized approach, ensure a comprehensive understanding of the requirements and verify that your implementation meets the additional risk analysis and documentation demands before attempting validation.
Step #5: Develop a Compliance Roadmap with Centraleyes:
Craft a clear and actionable plan for achieving and maintaining PCI DSS 4.0 compliance for the long run, focusing on continuous control monitoring and risk management.
Choose a platform that allows you to evaluate and prioritize security risks within your organization. This enables you to allocate resources and investments effectively, addressing the most critical vulnerabilities while maintaining compliance.
Tackle PCI DSS Version 4.0 With Centraleyes
PCI DSS 4.0 is not merely a compliance requirement; it’s a roadmap to a more secure future. Embrace these changes, adapt your security measures, and fortify your organization’s defenses to thrive in the dynamic world of payment card security.
If you’re wondering about the new PCI DSS version 4.0 and how it may affect your existing PCI compliance, we’re here to help. Centraleyes is dedicated to supporting PCI DSS and ensuring it fits your organization’s needs.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
