Compliance with PCI Data Security Standard 4.0 is still mandatory by March 31, 2025!
PCI DSS 4.0 was released more than two years ago, replacing v3.2.1 and imposing 64 new requirements. Payment card industry members should be well on their way to implementing those new requirements prior to their next assessments.
Recently, the PCI Security Standards Council issued a minor update to v4.0, in the form of v4.0.1, to correct formatting and typographical errors in v4.0 and also clarify the focus and intent of some of the v4.0 security requirements.
It is important to understand four important facts about PCI DSS 4.0.1:
Just six months remain for payment card industry members to complete their adoption of v4.0 requirements, which are extensive, and conduct their next annual risk assessments against those requirements.
PCI DSS 4.0 was published on March 31, 2022, replacing the previous version (PCI DSS 3.2.1). As organizations began implementing requirements of the new version (v4.0), formatting and typographical errors became evident, and users were requesting clarity and providing helpful feedback. In response, the PCI Security Standards Council drafted a limited revision to v4.0. Below are key milestones in the development of v4.0.1.
Comment Period. According to the PCI Security Standards Council website, a review and comment period was open from December 2023 through January 2024. During this time, the PCI SSC Board of Advisors, Global Executive Assessor Roundtable, and Principal Participating Organizations (through the Technology Guidance Group) were invited to review and provide feedback on the proposed corrections and clarifications in v4.0.1.
Updating Reports and Templates. While the complete, official v4.0.1 standard is now available on the PCI Security Standards Council website, supporting documentation is still being updated to reflect v4.0.1 content. For example, templates for the PCI DSS v4.0.1 Report on Compliance (ROC) and Attestation of Compliance (AOC), along with the Self-Assessment Questionnaires (SAQs), are expected to be published this month (October 2024). The updated Prioritized Approach tool and other supporting documents are expected shortly thereafter.
Implementation. Compliance with PCI DSS 4.0.1 will be required by March 31, 2025. All organizations must have implemented the requirements of v4.0 by this date and demonstrate compliance with those requirements in their next risk assessments.
A complete Summary of Changes from PCI DSS 4.0 to PCI DSS 4.0.1, dated June 2024, is available on the PCI website. Below are highlights of the general changes.
Listed below are most of the changes made to v4.0 requirements by v4.0.1, to give you a sense of the limited scope and scale of this minor revision. For a complete listing, refer to the Summary of Changes from PCI DSS 4.0 to PCI DSS 4.0.1 on the PCI website. Because no changes were made to Requirements 2 and 7, they are not listed below.
Requirement 1 – Install and maintain network security controls
Requirement 3 – Protect stored account data (SAD)
Requirement 4 – Protect cardholder data with strong cryptography during transmission over open public networks
4.2.1 - Moved Applicability Note about receiving cardholder data through an unsolicited channel to a new sub-section in Section 4, Scope of PCI DSS Requirements. Removed sentence that covered self-signed certificates.
4.2.2 – Updated Good Practice regarding use of Acceptable Use Policies to manage end-user technologies.
Requirement 5 – Protect all systems and networks from malicious software
5.4.1 - Removed Applicability Note concerning automated mechanism to make it clear the requirement does apply to systems that provide the mechanism. (PCI DSS in general applies to systems that provide security services.)
Requirement 6 – Develop and maintain secure systems and software
6.3.1 - Clarified Applicability Note that requirement is in addition to performing vulnerability scans according to requirements 11.3.1 and 11.3.2.
6.3.3 - Reverted to PCI DSS 3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.” Removed language that the requirement applies to “high-security patches/updates.”
6.4.3 - Clarified that “An inventory of scripts is maintained with written business or technical justification as to why each is necessary.” Added Applicability Notes to clarify how the requirement for managing payment page scripts applies.
6.4.3 - Under Good Practice, added guidance that the entity should expect the TPSP/payment processor to provide evidence that it meets this requirement, where entity includes TPSP’s/payment processor’s embedded payment page/form on its webpage.
6.5.5 - Clarified, under Definitions, that live Primary Account Numbers (PANs) are those issued by, or on behalf of, a payment brand. Removed wording that live PANs have potential to be used for payment transactions.
Requirement 8 – Identify users and authenticate access to system components
General – Added italics to statement in Overview and Applicability Notes: “Certain requirements are not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction” and removed a parenthetical example.
8.3.9 - Clarified Applicability Note that requirement does not apply to in-scope system components where MFA is used.
8.4.3 - Clarified this requirement applies to “remote access” (rather than the confusing term “remote network access”) and moved bullets about which types of remote access are included to an Applicability Note.
8.4.3 - Added “third parties” to testing procedure.
Requirement 9 – Restrict physical access to cardholder data
General - Added statement that each entity should identify sensitive areas within their environment to ensure appropriate physical security controls are implemented.
9.2.1 - Added Applicability Note that requirement does not apply to locations that are publicly accessible by consumers (cardholders).
9.3.4 - Clarified the requirement is for “visitor logs” rather than “a visitor log” and for “visitor activity both with the facility and within sensitive areas.”
Requirement 10 – Log and monitor all access to system components and cardholder data
10.4.1.1 - Added information about establishing a baseline of normal audit activity under Good Practice. Under Further Information, added reference to the Information Supplement: Effective Daily Log Monitoring.
Requirement 11 – Test security of systems and networks regularly
11.6.1 - Added guidance that entity should expect TPSP/payment processor to provide evidence that it meets this requirement, where the entity includes a TPSP’s/payment processor’s embedded payment page/form on its webpage.
Requirement 12 – Support information security with organization policies and programs
Appendices
Payment card industry members must implement the rigorous security requirements of PCI DSS 4.0, released in March 2022, prior to their next annual risk assessments. In June 2024, a minor update (v4.0.1) was released to correct formatting and typographical errors and clarify certain requirements. This limited revision did not add or delete any of the v4.0 requirements, nor did it change the compliance deadline.
The PCI Data Security Standard was developed to reduce vulnerabilities, strengthen security, and avoid costly data breaches within the payment card industry. Compliance is mandatory. Security executives owe it to their customers and other stakeholders to achieve full compliance with the new standard by March 31, 2025. With the deadline now just six months away, there’s not a moment to waste. (Schedule a PCI DSS 4.0 Gap Assessment)