Five things you didn’t know about PCI DSS 4.0
1. PCI SSC, card brands and the payments industry collaborated
The published version of PCI DSS 4.0 has been developed through a global collaboration between the PCI Security Standards Council (SSC), the card brands, and the payments industry. The updated standard incorporates feedback from over 200 companies from around the world. According to the PCI SSC, they received over 6,000 items of feedback during the three rounds of community review undertaken since the initial draft was released for review in 2019. Subsequent revised drafts of PCI DSS 4.0 were released for review in 2020 and 2021.
The last full version release of the PCI DSS was in November 2013 when PCI DSS v3.0 was published (iterative updates to v3.0 were published in April 2015 (v3.1), April 2016 (v3.2), May 2018 (v3.2.1).
2. Looking to the future
There are 47 future-dated controls introduced in PCI DSS 4.0 and a further four are included in Appendix A. The biggest number of new requirements can be found in Requirement 12, Requirement 8 and Requirement 3. Among the most significant of these are:
- For multifactor authentication (MFA) to be used for all access to the cardholder data environment (CDE).
- The prevention of copying and relocation of account data when it is accessed via remote-access technologies.
- A targeted risk analysis for all PCI DSS controls that can be met with flexible testing frequencies, such as the periodic reevaluation of systems not commonly affected by malware.
3. No time to waste
There are 13 new controls that need to be in place before an organization’s first PCI DSS 4.0 assessment. Documented roles and responsibilities now form part of each requirement, accounting for 11 of these.
In addition, organizations will need to perform periodic scope validation every 3, 6 or 12 months. Appendix A3 of PCI DSS 4.0 requires scope validation to be performed using a data discovery tool such as Card Recon, which can help automate the scope validation process.
Organizations using the Customized Approach will also need to complete a targeted risk analysis
4. Non-compliance exposed
The PCI DSS 4.0 Report on Compliance introduces a new category of assessment finding, ‘In place with remediation’. This new findings means that assessors will be able to report any controls that were non-compliant at the start of the assessment but that were addressed during the assessment using this assessment finding category.
This helps to identify those controls that organizations struggle to maintain consistently, as well as highlighting those that have successfully embedded compliance as business-as-usual. The lessons learned from this new assessment finding will help to inform the standard and guidance as part of the continuous improvement process adopted by the PCI SSC and the card brands for account data security.
5. Discovery for compliance
Data discovery directly supports 27 PCI DSS 4.0 controls including those related to scope validation, compliant account data processing and incident response. Frequent data discovery scans can be used to verify compliance across multiple requirements in PCI DSS 4.0.
While data discovery has commonly been used for initial scoping, PCI DSS 4.0 requires periodic verification of scope every 3, 6 or 12 months depending on the type of organization and whether they are required to report against PCI DSS Appendix A3: Designated Entities Supplemental Validation (DESV). This kind of data discovery exercise also supports compliance with controls in requirement 1, verifying the boundaries of any CDE, as well as confirming the compliant processing of cardholder data according to controls within requirements 3 and 6. PCI DSS 4.0 also introduces specific requirements for incident response where account data is found anywhere it is not expected, making data discovery a good investment for any PCI DSS compliance strategy.
Want to keep up with all our blog posts? Subscribe to our newsletter!Subscribe