PCI DSS v4.0: The new standard for payment security

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

April 2, 2024 - PCI DSS v3.2.1 was recently retired and replaced by v4.0 on April 1, 2024. This new version brings important changes that all merchants and service providers handling payment card data need to be aware of and plan for to meet compliance obligations.

Many of the new requirements are best practices until March 31, 2025, but the message is clear: start planning now to ensure all requirements are implemented and compliant before future-dated requirements become effective.

What is PCI DSS?

PCI DSS is a global standard developed by the card schemes (i.e., Visa, Mastercard, etc.) and a body of industry experts to ensure secure card payments. The set of security controls covers the fundamental aspects of information security and extends through the people, processes, and technologies involved in payment card processing systems.

Any entity that stores, processes, or transmits payment card data has an obligation to be compliant with PCI DSS. The standard also applies to entities that may impact the security of a credit card processing environment, such as cloud service providers, payment gateways, and managed service providers.

What does v4.0 address?

The standard aims to address new risks and attack methods that have arisen from new technologies used within payment systems. The updates:

  • Provide increased flexibility using different methods to achieve security objectives.
  • Support security needs based on evolving threats.
  • Promote security as a continuous service.
  • Include enhanced compliance-validation methods and procedures.

Here are several significant updates in v4.0 to be aware of:

  • A customised approach: A new reporting method to test and validate requirements based on meeting security objectives rather than prescriptive controls.
  • Roles and responsibilities: Defined for each requirement to promote security as a continuous process, ensuring that tasks are assigned and managed effectively.
  • Scope documentation: Always required in previous versions to support assessments, but detailed artefacts are now required and reviewed annually for merchants and bi-annually for service providers.
  • Targeted risk analysis: Defines the frequency of certain compliance activities based on level of risk for malware, application, and system accounts; POI inspections; log reviews; vulnerability management; and integrity checking on payment pages.
  • Stronger multi-factor authentication (MFA) requirements: MFA will be required for any access to cardholder data environment (CDE), not just administrative access. This improves security against potential unauthorised access.
  • New e-commerce and phishing requirements to address ongoing threats: Integrity checking on payment page scripts and ‘duty of care’ on email systems.
  • Better encryption and key management: Requires the use of strong cryptographic keys, keyed hashes for stored PAN, inventories, and separate key-management procedures.
  • Enhanced logging and monitoring: More extensive logging of activity, access and alerting across environments. Automation of log reviews for better detection of anomalies and suspicious activity.
  • Improved IAM and password security: Stronger password requirements and policies to protect against brute-force attacks. Review and focus on system and application accounts, especially those with interactive login capability.
  • Authenticated internal vulnerability scans: Planning and scoping are needed to ensure that any additional findings can be remediated in time for assessment.
  • Vulnerability management: Remediation of vulnerabilities, not only those classified as critical or high.
  • Incident response: Unexpected PAN detection, payment page modifications, etc.

These updates take a more data-centric approach to safeguarding sensitive cardholder data. For merchants and service providers, this means the new standard will require additional planning, technical solutions, resource, and budget to meet compliance.

Committing to security

Adopting PCI DSS v4.0 demonstrates a continued commitment to data security. By making the transition and meeting updated industry standards, you maintain trust and confidence with customers and meet applicable obligations.

Prioritizing payment card protections also reduces the risk of financial and reputational damages from potential breaches and noncompliance fines. It's also important to confirm validation and attest procedures, which may include new questionnaire submissions or revision of internal policies and procedures.

Download PCI DSS v4.0 at a glance. Read more from our digital trust experts in NIST Cybersecurity Framework: What's new in v2.0 by John Kociak and Defending against AI’s dark side by Terry Minford.

Visit BSI’s Experts Corner for more insights from industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trust, EHS, supply chain.

Justin Cattermore

Justin Cattermole

Justin manages the PCI practice within EMEA at Digital Trust Consulting Services, BSI, and has been a PCI QSA since the standard’s inception in 2006, acting as a trusted advisor to clients who are just starting out on the journey to compliance as well as supporting entities that are maintaining compliance on an annual basis through formal assessment.

Ask the Experts

We want to hear from you! Our experts have over 50 years of combined experience in the environmental, health & safety, digital trust, supply chain, and security & resilience industries. Take advantage of their knowledge; submit a question today.

Ask now

Contact us

Talk to us and start your journey to excellence.

Contact Us