Goodbye PCI DSS 3.2.1. Hello PCI DSS 4.0: 12 Key Changes! 

As of March 31, 2024, PCI DSS 3.2.1 has been retired—and businesses who process credit card transactions will have until March 31, 2025 to achieve full PCI DSS compliance with the new version 4.0. This update introduces around 60 new requirements. (Click here for Summary of Changes from PCI DSS v3.2.1 to v4.0.) To highlight what you need to know right away, this blog focuses on several key changes or new requirements that were added in PCI DSS v4.0.

What is the PCI DSS—and why did it change? 

Created in 2004 by Visa, Mastercard, Discover, JCB and American Express, the Payment Card Industry Security Standards Council (PCI SSC) developed guidelines to be followed by all businesses that: 

1. Process three or more transactions per month. 
2. Use third-party payment processing. 
3. Pass credit card data through servers (even if they don’t store said credit card data). 

The cybersecurity threatscape was very different in 2018 when the PCI last updated its compliance standards. From 2018 through 2023, there were more than 22,000 data breaches reported in the U.S., impacting nearly 14 billion records, according to The Privacy Rights Clearinghouse. Eight of the top ten most numerous breaches were reported by financial institutions—including 57 attacks at credit card powerhouse Capital One and 49 at Discover Financial Services.  

On top of that, threat actors have gotten more innovative and disruptive—and have broadened their targets to include small businesses and ecommerce sites.  

Working with global industry feedback, two of the key goals the PCI established for developing version 4.0 of the standard included meeting the current security needs of the industry and promoting security as a continuous process. Here are 12 of the major changes enacted to help the PCI—and you—achieve success at meeting these goals. 

Cybersecurity today requires an understanding that, although technology has evolved immensely, humans remain both the weakest link and the strongest opportunity for preventing security breaches. One employee clicking on a single phishing email can unleash a system-wide cyber attack (even affecting third parties). 

Meeting the current security needs of the payments industry

To that end, PCI DSS 4.0 places a high emphasis on multi-factor authentication (MFA). As Microsoft points out, studies have found that properly implemented multi-factor authentication can prevent 99.9% of account compromise attacks. Here’s some of what’s new: 

1. MFA for all CDE access. PCI DSS 4.0 has a newly clarified requirement for MFA to be used for all access into the cardholder data environment (CDE). This is in addition to the existing MFA requirement for remote access from outside your entity’s network. Furthermore, PCI DSS 4.0 now has new requirements for you to make sure your multi-factor authentication systems are implemented properly.  

2. Longer passwords. Because the computing power of threat actors has advanced, password requirements have also changed. So, the PCI DSS version 4 has increased the password length from 7 to 12 characters.  

3. No MFA? Change every 90 days. Just as in version 3.2.1, your organization’s stakeholders must also change passwords every 90 days, to prevent formerly breached passwords from permitting access. However, this 90-day requirement to change passwords will only apply to those systems that don’t fall under the MFA requirement—for example systems that are not within the cardholder data environment but are still in scope for assessment. If MFA is implemented, this 90-day requirement is not applicable.  

4. Patch medium, low, and informational risk vulnerabilities, too. Because major cyber attacks can come from multiple, smaller vulnerabilities rather than just a single exploit, PCI DSS 4.0 wants to make sure you’re addressing any threat exposure that you have in your environment, no matter how minor it may seem. 

5. Automatic scanning of any inserted/mounted devices. Preventing malware is a major focus of version 4.0. Addressing this means ensuring that you have a process for automatically scanning BYOD (bring your own device) items like USB sticks as soon as they are locally connected to your system.

6. Anti-skimmer protections. To guard against criminals installing data skimmers on ecommerce systems, PCI DSS 4.0 added a requirement for merchants to manage all payment page scripts that are loaded and executed in the consumer’s browser. Secondly, merchants are required to deploy a mechanism that detects unauthorized changes or indicators of malicious script activity on a payment page while it’s being constructed in the consumer’s browser.

7. Annual staff training in cybersecurity. The PCI DSS 4.0 also mandates that you must train your staff at least annually for cyber security awareness. The new guidelines also spell out in detail the types of topics that training needs to cover—particularly phishing and social engineering. 

As part of the effort to make the guidelines more current with today’s threats, you may also notice that some of the language has changed. For example, what v3.2.1 called “anti-virus” is now called “anti-malware”. 

Promoting security as a continuous process 

The PCI DSS 4.0 standards drive home the fact that security is not a point-in-time or once a year activity. To ensure that organizations treat security as an ongoing, continuous process, version 4.0 offers new guidelines like these: 

8. Roles and responsibilities. The new version adds and spells out new requirements for roles and responsibilities for each of the major requirements. 
   
9. Implementation guidance. Version 4.0 also includes further information and instructions on how organizations (and their employees) can better implement and maintain secure systems. For example, regarding malware assessments, the PCI DSS 4.0 mandates:
   • Keeping the malware solution current via automatic updates 
   • Performing periodic scans and active or real-time scans (with a new option for continuous behavioral analysis), and 
   • Generation of audit logs by the malware solution. 
     
10. Continuous controls monitoring advised. To maximize the protection of credit card transaction data, PCI DSS v4.0 is designed to support long-term security as a continuous process. (Incidentally, this is an area where RegScale can help with the process—with our continuous controls monitoring platform.)
     
11. Reporting response and remediation. PCI DSS v4.0 also added a new reporting response to validate and align the Report on Compliance or the Self-Assessment Questionnaires with the information summarized in an Attestation of Compliance. This includes a new requirement for the implementation of processes and mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities. 
     
    While v4.0 requires less detailed reporting for each requirement, it places more reliance on evidence and granularity. You’re also given more flexibility in the structure of the report document, so you can better focus and customize the reports for your intended audience.   
     
    RegScale supports the PCI DSS Version 4.0 as a catalog within our platform—with automated tools/wizards for building compliant assessment programs. This includes support for tracking policies, related assessments, evidence collection, issues management/performance improvement, and other related workflows. 
    
12. Third party risk management. To reinforce the understanding that outsourcing does not eliminate the need for continuous security, version 4.0 provides an abundance of advice about relationships between entities and their third-party service providers. 

The clock is ticking on compliance

These are just a dozen of the major changes that are now in effect with PCI DSS v4.0. There are about 60 in total—which include hundreds of sub requirements—all of which will demand full compliance by March 31, 2025.
 
Furthermore, if you’re considering having an assessment done, it’s important to know that any assessor must now be trained in PCI DSS 4 before they perform an official assessment. One way to verify if your assessor has been trained in version 4 is to check the PCI’s current listing of Qualified Security Assessors.  
 
If you haven’t already started your compliance process by now, this is a good time to begin. We can make it easier. RegScale supports PCI DSS 4.0, and you can find our free tools including the Payment Card Industry (PCI) Data Security Standard (DSS) 4.0 catalog available from our Catalogs and Profiles page.