Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) published the official PCI DSS version 4.0. Over the next few months, we anticipate supporting documentation to emerge and QSA training to begin.
What's Next? – Supporting Documentation & QSA Training
Updates to supporting documents, including SAQs, Report on Compliance (ROC) Template, PCI DSS Glossary, and Prioritized Approach, are part of the revision cycle whenever PCI DSS is updated. We expect these documents to be available within a few months based on Council guidance.
PCI DSS v4 will become auditable after QSA training and certification, expected around June 2022. We expect organizations to start going for v4 assessments in the second half of 2023.
The Report on Compliance (ROC) Template is where the real meat is.
The Report on Compliance (ROC) Template is an essential document needed to make any accurate, relevant comments about v4. The DSS gives some indications, but it is the reporting template with the actual test procedures that will be the telling details. The required testing details are where the real meat is.
The New Concept of the Customized Approach
The most significant change with v4 is the new concept of the Customized Approach (CA). Organizations with a personalized set of controls to achieve the same objectives can use a customized reporting approach. The CA is not a replacement for the compensating control worksheet (CCW) as the CCW is for situations where the client cannot meet the PCI requirements. The Customized Approach is one reason we need to see the Reporting Template because that will gauge how difficult implementing v4 is for organizations.
Activities for 2022 - 2023
- Look for our review of the ROC – Coming Soon
- Evaluate your program against the new PCI DSS 4.0 requirements
- Implement immediate requirements before your next assessment
- Make a plan to implement all requirements by 2025
- Read our blog, How to Be Prepared for PCI DSS v4 in 2022,
for information on preparing for PCI DSS 4.0
Get Started on PCI DSS Compliance with Truvantis
PCI DSS compliance can be expensive. You can reduce effort and cost by relying on a trusted vendor to deal with it for you. Let them deal with compliance so you can invest in your business.
Truvantis is available to consult, implement, and manage your PCI compliance program. Whether you're looking for help achieving PCI DSS compliance or need verification by a Qualified Security Assessor (QSA), Truvantis can help.
Contact us about PCI DSS Compliance
Appendix: Summary of New Requirements in PCI DSS 4.0
New requirements that are best practice until March 31, 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Requirement 3 - Protect Stored Account Data
- SAD stored electronically prior to completion of authorization is encrypted using strong cryptography.
- Technical controls to prevent copy and/or relocation of PAN when using remote-access technologies.
- Keyed cryptographic hashes when hashing is used to render PAN unreadable.
- Disk-level or partition-level encryption is only used to render PAN unreadable on removable electronic media or, if used on non-removable electronic media, the PAN is also rendered unreadable via a validated, reliable mechanism
- Use of the same cryptographic keys in production and test environments is prevented
Requirement 4 - Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Confirm certificates used for PAN transmissions over open, public networks are valid and not expired or revoked
- Maintain an inventory of trusted keys and certificates
Requirement 5 - Protect All Systems and Networks from Malicious Software
- Define the frequency of periodic evaluations of system components not at risk for malware in the entity's targeted risk analysis
- Define the frequency of periodic malware scans in the entity's targeted risk analysis.
- A malware solution for removable electronic media malware
- Detect and protect personnel against phishing attacks
Requirement 6 – Develop and Maintain Secure Systems and Software
- Maintain an inventory of bespoke and custom software
- Deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks.
- Management of all payment page scripts that are loaded and executed in the consumer's browser
Requirement 7 - Restrict Access to System Components and Cardholder Data by Business Need to Know
- Review of all user accounts and related access privileges
- Assignment and management of all application and system accounts and related access privileges
- Review all access by application and system accounts and related access privileges.
Requirement 8 - Identify Users and Authenticate Access to System Components
- Increase password length from a minimum length of seven characters to a minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of eight characters).
- * If passwords/passphrases are the only authentication factor for customer user access, then passwords/passphrases are either changed at least once every 90 days, or access to resources is automatically determined by dynamically analyzing the security posture of the accounts.
- Implement multi-factor authentication (MFA) for all access into the CDE
- Management of systems or application accounts that can be used for interactive login
- Not hard-coding passwords/passphrases into files or scripts for any application and system accounts that can be used for interactive login
- Protecting passwords/passphrases for application and system accounts against misuse
Requirement 9 - Restrict Physical Access to Cardholder Data
- Define the frequency of periodic POI device inspections based on the entity's targeted risk analysis
Requirement 10 - Log and Monitor All Access to System Components and Cardholder Data
- Use of automated mechanisms to perform audit log reviews
- Targeted risk analysis to define the frequency of periodic log reviews for all other system components
- Detect, alert, and promptly address failures of critical security control systems.
- Respond promptly to failures of any critical security controls
Requirement 11 - Test Security of Systems and Networks Regularly
- Manage all other applicable vulnerabilities (those not ranked as high-risk or critical) found during internal vulnerability scans
- Perform internal vulnerability scans via authenticated scanning.
- * Requirement for third-party hosted/cloud service providers to support their customers for external penetration testing.
- * Use intrusion-detection and or intrusion-prevention techniques to detect, alert on/prevent, and address covert malware communication channels
- Deploy a change-and-tamper-detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser.
Requirement 12 - Support Information Security with Organizational Policies and Programs
- Perform a targeted risk analysis for any PCI DSS requirement that provides flexibility for how frequently it is performed
- Document and review cryptographic cipher suites and protocols in use at least once every 12 months
- Review hardware and software technologies in use at least once every 12 months.
- Document and confirm PCI DSS scope at least every 12 months and upon significant change to the in-scope environment
- Documented review of the impact to PCI DSS scope and applicability of controls upon significant changes to organizational structure
- Review and update (as needed) the security awareness program at least once every 12 months
- Security awareness training to include awareness of threats and vulnerabilities that could impact the security of the CDE
- Security awareness training to include awareness about the acceptable use of end-user technologies
- * Support customers' requests for information to meet Requirements 12.8.4 and 12.8.5
- Perform a targeted risk analysis to define the frequency of periodic training for incident response personnel
- Requirement for incident response procedures to be in place and initiated upon detection of stored PAN anywhere it is not expected.
* – For Service Providers Only