PCI DSS v4.0 Released – What Changes Were Made?

Kyle Daun
Apr 4, 2022 2:15:00 PM

On January 1st, 2019, the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 came into effect replacing v3.2 which had been in place since October 31st, 2016. Many changes have occurred since January of 2019, one of which being the worldwide shut down in the first half of 2020. With this change, many organizations had to rethink their business structure and learn how to accommodate an entire remote workforce while still being able to operate and function as company. During this time, many organizations had to brainstorm new and creative ways to operate with an entirely remote workforce. As new security threats and vulnerabilities are discovered daily, changes to security assessment frameworks and controls need to evolve to account for these threats.

Last week, the PCI Security Standards Council (SSC) released PCI DSS v4.0, and with this release comes many changes (64 to be exact), although v4.0 is not required to be used until the retirement of v3.2.1 on March 31st, 2024. While two years seems like the distant future, organizations should begin to prepare for these changes now while the grace period is still in effect. When PCI v4.0 becomes active and v3.2.1 is no longer accepted to report cardholder data security compliance, the requirement of 13 controls will immediately take effect with the remaining 51 controls to be considered a best practice until March 31st, 2025, at which time they will become effective for all entities seeking PCI compliance.

One change to note is that there will be two approaches; “Defined” and “Customized” for implementing and validating to PCI DSS. Entities should identify the approach best suited to their security implementation and use that approach to validate the controls. PCI SSC defines the Defined and Customized Approaches as follows:

The Defined Approach follows the traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard. In the defined approach, the entity implements security controls to meet the stated requirements, and the assessor follows the defined testing procedures to verify that requirements have been met. The defined approach supports entities with controls in place that meet PCI DSS requirements as stated. This approach may also suit entities that want more direction about how to meet security objectives, as well as entities new to information security or PCI DSS.

The Customized Approach focuses on the “Objective” of each PCI DSS requirement, allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. Because each customized implementation will be different, there are no defined testing procedures; the assessor is required to derive testing procedures that are appropriate to the specific implementation to validate that the implemented controls meet the stated Objective. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS objectives. This approach is intended for risk-mature entities that demonstrate a robust risk-management approach to security, including, but not limited to, a dedicated risk-management department or an organization-wide risk management approach.

The additional new requirements that will be in effect immediately for all v4.0 assessments are as follows:

Requirements 2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, 11.1.2

Defined Approach Requirements - Roles and responsibilities for performing activities in the specific requirement are documented, assigned, and understood.

Customized Approach Objectives - Day-to-day responsibilities for performing all the activities in the specific requirement are allocated. Personnel are accountable for successful, continuous operation of these requirements.

Requirement 12.3.2 – Only applicable if using the Customized Approach Objectives

A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:

  • Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis)
  • Approval of documented evidence by senior management
  • Performance of the targeted analysis of risk at least once every 12 months

Requirement 12.5.2

Defined Approach Requirements - PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes:

  • Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce)
  • Updating all data-flow diagrams per Requirement 1.2.4
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to:
    1. Any locations outside of the currently defined cardholder data environment (CDE)
    2. Applications that process cardholder data (CHD)
    3. Transmissions between systems and networks
    4. File backups
  • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope
  • Identifying all connections from third-party entities with access to the CDE
  • Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope

Customized Approach Objective - PCI DSS scope is verified periodically, and after significant changes, by comprehensive analysis and appropriate technical measures.

Requirement 12.9.2 - Additional requirement for Service Providers only

Defined Approach Requirements - Third Party Service Providers (TPSPs) support their customers’ requests for information to meet Requirements 12.8.4 and 12.8.5 by providing the following upon customer request:

  • PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 12.8.4)
  • Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5)

Customized Approach Objectives - TPSPs provide information as needed to support their customers’ PCI DSS compliance efforts.

Organizations should carefully review all the requirements in PCI DSS v4.0 with their Qualified Security Assessor (QSA) company and determine which approach is best suited for each requirement and their environment as soon as possible. Once decided, preparations for possible changes that will need to be made to documentation and/or processes should begin as soon as possible to adhere to the changes prior to March 31st, 2024. For organizations who are new to the PCI DSS compliance process, Compass IT Compliance can help! We have served as a trusted PCI QSA since 2010, and we offer a suite of customizable PCI DSS compliance services to assist organizations of any size and environment complexity. Contact us today to discuss your unique situation!

You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think