Blog Post
A Guide to PCI DSS v4.0 Compliance for Merchants
This article is a merchant’s guide to PCI DSS v4.0, explaining where the PCI DSS has come from, what’s new in the latest version of the standard and the steps merchants can take towards PCI DSS v4.0 compliance today.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized security standard designed to protect payment card data and reduce fraud. While not a legal or regulatory requirement, PCI DSS is a contractual obligation for all organizations that handle payment account data. The standard provides a minimum set of requirements necessary for the security of card payments at each stage of the payments process.
PCI DSS v4.0 is the latest evolution of the card data security standard that has revolutionized the payments industry. Coming into force from March 31, this update introduces some big changes for merchants including enhanced authentication requirements for all user access to card data environments (CDE).
Introducing PCI DSS v4.0 — What You Need to Know
The Payment Card Industry Data Security Standard (PCI DSS) sets strict standards for cybersecurity that merchants must meet. The controls a merchant needs to satisfy and how they can compliance depends on their payment channels (how they process payments, e.g. online, via telephone or in-store) and the volume of transactions they process each year. These criteria are used by the acquiring banks to establish each merchant’s “level” for PCI DSS v4.0 compliance. The different merchant levels are defined by the card brands, for example Mastercard and Visa.
New Technical Security Requirements
PCI DSS v4.0 is the most significant update to the standard since v2.0 was released in 2010. The latest changes introduce 52 new controls for merchants, five of which can be directly supported with periodic data discovery scanning. With advanced discovery solutions, remediation-in-place capabilities may help to address issues of non-compliance when these occur, as we’ll explain shortly.
New Scope Revalidation Obligations
Under the new standard, merchants are required to revalidate their PCI DSS scope every twelve months (12.5.2). For merchants assessed using Designated Entity Supplementary Validation (DESV) controls, this is required every three months.
While scoping has always been a pre-requisite for compliance and annual assessment, this is the first time it has been formalized in the requirements.
Evidence-based data discovery solutions, such as Enterprise Recon, simplify the scope validation process by identifying and verifying:
- All locations of stored account data — advanced discovery tools use context-defined pattern matching to identify data wherever it is stored across on-premise and cloud-based environments. The ability to uncover hidden stores of payments information is crucial to PCI DSS compliance. The latest version of the standard also requires organizations to be able to identify and respond to any unauthorized locations of data, which can be achieved through periodic data discovery scanning.
- Network boundaries of the cardholder data environment (CDE) — Using discovery scanning tools enables organizations to verify the boundaries of their CDE, by confirming that all data stores are located within the defined environment. Discovery scanning that can identify data in volatile memory can also help validate that temporary processing environments are also located within scope boundaries.
- All in-scope assets — using the results of discovery scanning, organizations can verify their in-scope assets based on the locations of account data and data flows, following PCI DSS scoping guidelines.
Using Data Discovery for Compliance
While many payment solutions remove data from merchant environments, card data storage remains prevalent, particularly in larger organizations. Even where there is no card data storage, up to 14 controls are supported by periodic data discovery scanning.
Merchants must particularly be aware of the new incident response control 12.10.7. requiring organizations to have an incident response plan for account data identified in unexpected locations. As part of this plan, organizations need to be able to locate and remediate this data quickly. Advanced discovery solutions such as Ground Labs Enterprise Recon PCI support remediation-in-place for data found outside authorized and in-scope systems.
Merchants eligible for self-assessment also have compliance obligations that may benefit from periodic data discovery scanning.
| SAQ Type | Data Discovery | |
|---|---|---|
| SAQ A | Yes | Verifying no cardholder data is stored in merchant systems, including on web servers |
| SAQ A-EP | Yes | Validating network boundaries, verifying no cardholder data is stored, confirming no live PAN present in non-production environments |
| SAQ B | n/a | |
| SAQ B-IP | Yes | Verifying no cardholder data is stored in merchant systems, including on terminal-connected devices |
| SAQ C | Yes | Verifying no cardholder data is stored in merchant systems, including on terminal-connected devices |
| SAQ C-VT | n/a | |
| SAQ D | Yes | Validating network boundaries, verifying cardholder data is stored only in authorized locations, confirming no live PAN present in non-production environments, supporting incident response for data in unexpected locations |
| SAQ P2PE | Yes | Verifying no cardholder data is stored in any systems outside the authorized P2PE solution |
In total, for merchants, data discovery scanning can support up to 22 PCI DSS v4.0 controls and sub-controls across four requirements and appendices of the standard, from scope revalidation to incident response. This includes five of the new controls introduced in PCI DSS v4.0.
| Requirement 1: Install and maintain network security controls | |
| 1.2.3. 1.2.4. | Data discovery scanning can be used to validate the network boundaries of the CDE, as well as demonstrating that data flows map account data accurately. |
| Requirement 3: Protect stored account data | |
| 3.2.1. 3.3.1. 3.3.2. 3.4.2. | Data discovery scanning identifies any cardholder data including sensitive authentication data wherever it is stored. Periodic discovery scanning can be used to confirm that data has been deleted when it has exceeded its retention period. Organizations that store sensitive authentication data must be able to verify that it is removed following authentication, or when no longer required. |
| Requirement 6: Develop and maintain secure systems and software | |
| 6.5.2. 6.5.5. | Verifying that a significant change has not impacted scope boundaries, and that CHD is not present in non-production environments is supported by data discovery scanning. |
| Requirement 12: Support information security with organizational policies and programs | |
| 12.4.2. 12.5.2. 12.10.7. | Data discovery scanning can be used to confirm that operational procedures involving cardholder data are being followed so CHD remains in the CDE. As part of periodic scope revalidation and following organizational change, data discovery scanning is essential to confirm in-scope systems, network boundaries, data flows and data repositories. Advanced discovery solutions support remediation-in-place for data found in unexpected locations. |
How to Prepare for PCI DSS v4.0
With time running out to comply, here are the five key steps to follow for PCI DSS v4.0 compliance.
- Start from what you know
Make sure you are compliant with PCI DSS 3.2.1.
While PCI DSS v4.0 introduces a number of changes, from a security perspective, most of these are an evolution of the previous version of the standard. If you’re compliant with v3.2.1., you will be well on your way to meeting the requirements of version 4.0.
- Uncover your unknown unknowns
Once you’re ready to migrate to PCI DSS v4.0, start with your scope. Revalidate your network boundaries and data storage locations. It may be beneficial to run a data discovery scan of all your network locations — including those outside your existing scope, email and cloud storage — to identify any ‘unknown unknowns’ or unexpected locations of account data.
- Mind the gaps
Now you’ve revalidated your scope and identified any unexpected locations of account data, complete a detailed gap analysis of your environment against the new version of the standard. If you are compliant with v3.2.1. you may be able to focus your gap assessment on the updated and new controls in PCI DSS v4.0 but be aware of any other control weaknesses you identify as you complete your review.
- Plan for compliance
With the findings from your gap analysis, establish a remediation plan — an action plan for addressing control gaps. Assign owners and set delivery dates for each action and prioritize those controls that present the greatest risk to your security. If you’re unsure how to prioritize your remediation plan, it might help to refer to the Prioritized Approach for PCI DSS v4.0 published by the PCI SSC.
- Sustain and maintain
The purpose of PCI DSS is not to be a point-in-time set of controls. The assessment is a periodic activity, but compliance is a continuous process. Aim to establish the operation, oversight and management of PCI DSS controls as business-as-usual processes and ensure that there are mechanisms in place to report any control failures or weaknesses as they are identified.
Ground Labs’ Data Discovery for PCI DSS Compliance
Card Recon Desktop and Server editions provide self-service discovery solutions designed for PCI DSS v4.0 compliance, to meet merchants’ needs whatever their size.
Ground Labs’ award-winning Enterprise Recon PCI is made for PCI DSS v4.0 compliance for larger organizations with complex technology environments. Enterprise Recon delivers comprehensive card data discovery and remediation-in-place capabilities across the broadest set of on-premises and cloud-based platforms.
To find out more, book a call with one of our experts today.
