The Countdown Begins: Steps to Embrace PCI-DSS v4.0 by 2024

Upcoming changes in the Payment Card Industry Data Security Standard (PCI-DSS) will place stricter security requirements on any businesses that handle cardholder data.

PCI DSS compliance is required for all merchants that accept credit card payments. All merchants need to meet minimum levels of security when they store, process, and transmit cardholder data. Organisations that handle a greater volume of transactions are subject to more stringent requirements, including a requirement for external security audits.

The Payment Card Industry Security Standards Council (PCI SSC) administers the standard, and the major credit card brands, including Visa and Mastercard, mandate its use.

A significant revision of the standard, PCI-DSS v4, aims to address emerging threats and the evolving security needs of the payment industry. The standard provides a baseline of technical and operational requirements that are collectively designed to protect account data.

PCI-DSS v4 is Coming

PCI DSS v4.0 consists of 12 requirements that are organised into six categories, including:

• Increased focus on security as a continuous process
• More flexibility in how organisations can achieve their security goals
• New requirements for service providers, including the use of multi-factor authentication and the implementation of a zero-trust architecture
• Revised requirements for software development, including secure coding practices and the use of automated tools for vulnerability scanning and penetration testing
• More stringent rules for password management, including the use of passphrases and the prohibition of certain types of passwords
• Encouraging more systematic and effective encryption, including supporting the introduction of quantum-safe cryptography

The 12 controls within PCI DSS 4.0 are primarily similar to version 3.2.1. PCI DSS v3.2.1 is being depreciated because it has failed to keep pace with both changes in the industry and cybercriminal tactics.

While earlier versions of the framework were prescriptive (deploy firewalls, apply anti-virus controls, etc.), PCI DSS 4.0 is geared towards supporting more comprehensive efforts by organisations to improve their security maturity.

Although some of the changes are evolutionary – such as changing the requirement for anti-virus software to an anti-malware solution or changing the networking requirements to reflect the difference between cloud and physical network architectures – others are more substantive. For example, organisations must deploy multi-factor authentication to access the cardholder data environment.

Recognising the increased threat of supply chain attacks, e-commerce merchants will also be asked to maintain a software inventory, including libraries and components. In addition, the framework requires protection against e-commerce skimming attacks by actively managing and detecting changes in JavaScript on the payment page.

PCI-DSS v4 also emphasises educating employees about security risks and best practices.

Luke Dash, CEO of ISMS.online, commented: “PCI compliance isn’t just a box to tick; it’s a commitment to your customers – a promise of security, transparency, and enduring business relationships.”

Joseph Carson, chief security scientist & advisory CISO at Delina, added: “PCI-DSS v4 has raised the bar and standards for cybersecurity in the payment cards industry, no longer being just a checkbox, but a continuous cybersecurity program.

Carson continued: “Strict controls related to access security, including multi-factor authentication, privileged access security, password security, and improved standards for phishing, imply that the upcoming PCI audit will be bigger than any previous audit. It will likely take much more preparation and resources to ensure the requirements are being met.”

PCI-DSS v4 Compliance Deadline

Organisations have until March 31, 2024, to transition from PCI DSS v3.2.1 to v4.0 – with an 18-month deadline of achieving full compliance by March 2025.

As previously reported, the new version of the standard places increased emphasis on securing e-commerce payment applications, protecting against Magecart-style attacks, and implementing secure coding practices.

The focus of the revised framework is on safeguarding transactions and building trust.

John Elliott, security advisor at security tools vendor Jscrambler, said: “The main challenge will be implementing the 51 new requirements that become effective in April 2025. Some of these may require a change in business processes and will require the acquisition of new technology or solutions.

“Some – like MFA [multi-factor authentication] for all access – you may already have implemented as part of your BAU [business as usual] security upgrades, but others, like the specific requirements to stop e-commerce skimming attacks, will take time and technology to satisfy,” Elliott added.

Richard Orange, VP EMEA of Exabeam, added: “The updated standard emphasises effective network segmentation. It encourages businesses to implement isolation measures to prevent the compromise of sensitive data and have a zero-trust approach to network security. Companies must follow secure coding guidelines, perform regular code reviews and vulnerability scans, and ensure secure application configuration.”

Managing PCI Compliance Projects

Proactive PCI-DSS v4 preparation will allow businesses plenty of time to resolve potential snags – avoiding the need for last-minute, expensive emergency fixes.

ISMS.online’s Dash commented: “Early PCI-DSS v4 preparation allows for staggered implementation, spreading out costs and reducing operational disruptions.”

Exabeam’s Orange commented: “Small businesses may find it challenging to comply with the more stringent requirements of PCI-DSS v4. The increased focus on encryption, network segmentation, and multi-factor authentication (MFA) may require additional investments in resources and technology, which could strain budgets, especially for companies that have already had to tighten their belts since the pandemic.

“In contrast, larger businesses with robust security measures may have an easier time adapting to the new changes,” he added.

Despite these challenges, “compliance with PCI-DSS v4 can enhance the overall security posture and reduce the risk of data breaches, leading to financial losses, reputational damage, and legal liabilities,” Exabeam’s Orange concluded.

Implementing the standard can also improve customer trust and confidence, demonstrating a commitment to protecting sensitive cardholder information.

Donnie MacColl, Senior Director, Technical Support and DPO, Fortra, a cybersecurity provider, explained that the changes that will come with PCI DSS v4 won’t impact all businesses in the same way.

“There are four distinct levels of compliance required by individual organisations, which are based on transaction volume over a 12-month period,” MacColl told ISMS.online.

For example, lower compliance level organisations (levels 2 – 4) do not need an external audit but can complete a self-assessment questionnaire instead. By contrast, if a business processes more than six million card transactions annually, it must demonstrate level 1 compliance, a process involving an external audit performed by a Qualified Security Assessor.

MacColl concluded: “Regardless of organisation size, transitioning effectively to PCI DSS 4.0 requires an approach that factors in technical and cultural changes. This isn’t a one-and-done type of effort. It will require a phased approach over time.”