Blog Post
PCI DSS v4.0.1 — what you need to know
On June 11, 2024, the PCI Security Standards Council (PCI SSC) released an updated version of the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS v4.0.1 was mentioned briefly in an Assessor newsletter in late 2023 and discussed at the 2023 PCI SSC Community Meetings, promising its release in the first half of 2024.
What you need to know
According to the PCI SSC, this update “includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance.” Most importantly, the PCI SSC has stressed that “There are no additional or deleted requirements in this latest update.”
The new version of the standard is available now and effective immediately. PCI DSS v4.0 will be retired on December 31, 2024.
The most significant changes you should know about are detailed below.
Control Clarifications
These are minor changes that affect control requirements defined in PCI DSS v4.0.1.
- The control wording for Requirement 6.3.3 has been reverted to that of PCI DSS v3.2.1, that patches/updates for critical vulnerabilities are to be installed within one month of release.
Updated Applicability Notes
These updates clarify how controls apply to specific types of organizations.
- Requirement 3.3.1 has been updated to clarify that issuers are companies that support issuing services are not required to meet this control, where there is a “legitimate and documented need to store [sensitive authentication data] SAD.”
- Requirement 6.4.3 clarifies that the control applies to scripts loaded from an organization’s webpage, including those from third and fourth parties such as embedded payment pages or forms. Scripts in any hosted payment page/form managed by third party service providers (TPSP) or payment processors are the responsibility of the third party.
- Requirement 8.4.2 confirms that multi-factor authentication (MFA) for non-console access to the cardholder data environment (CDE) does not apply to use accounts that are “only authenticated with phishing-resistant authentication factors.” This has been added alongside application or system accounts performing automated functions and Point-of-Sale (POS) terminal user accounts with access to only one card number at a time.
- Requirement 12.8.2/12.9.1 have been updated to provide more clarity around TPSP responsibility for a customer’s PCI DSS compliance, acknowledgement of their responsibilities, and that TPSP evidence of compliance is separate to their obligation to provide a written acknowledgement of their responsibilities.
Updates Affecting the Customized Approach
These changes apply only to organizations using the Customized Approach and associated resources for the affected controls.
- Requirement 3.5.1.1., now has a Customized Approach Objective — missing in the previous version of the standard — which states that “Cleartext PAN cannot be determined from the hashes of the PAN.”
Using Data Discovery to streamline PCI DSS Compliance
While data discovery has by many been considered a one-off exercise as part of a new PCI DSS program, changes in PCI DSS v4.x of the standard mean that is now a fundamental element of compliance.
Purpose-built discovery solutions, like Ground Labs’ Enterprise Recon not only identify cardholder data wherever it is stored but also provide remediation options to address unexpected data stores and unauthorized repositories. Their role extends beyond scoping across up to 27 controls across the standard and supports data security for privacy compliance and other cybersecurity initiatives.
To learn how Enterprise Recon can support your PCI DSS compliance efforts, download your free copy of our e-book, or book a call with one of our experts today.