ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / PCI DSS v4.0
Download FREE PCI DSS v4.0 Cheat Sheet
PCI DSS v4.0 Cheat Sheet

PCI DSS v4.0

In March, 2022, the Payment Card Industry Security Standards Council announced a new version of the PCI DSS.
The previous version of the standard is PCI DSS v3.2.1, which has been in effect since May, 2018. Here is a quick version history of the standard:

  • PCI DSS v1 – Released December 2004
  • PCI DSS v1.1- Released September 2006
  • PCI DSS v1.2- Released October 2008
  • PCI DSS v2 – Released October 2010
  • PCI DSS v3 – Released November 2013
  • PCI DSS v3.1 – Released April 2015
  • PCI DSS v3.2.1 – Released May 2018
  • PCI DSS v4 – Released March 2022

What is PCI DSS?

The PCI Data Security Standard (PCI DSS) was established in 2004 by leading payment card issuers.
It is maintained by the PCI Security Standards Council. It provides Operational and technical requirement to protect cardholder data.

The goals for PCI DSS v4.0 are to continue to meet the security needs of the payment industry, to promote security as a continuous process, to add flexibility for different methodologies, and to enhance validation methods.

PCI DSS v4.0 Timelines

Each of these future-dated requirements are noted in the standard as best practice until March 31, 2025. Entities are not required to validate against those until the date has been reached, after which they become mandatory.

Once assessors have completed training in PCI DSS v4.0, organizations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1.

After April 1, 2024, only v4.0 will be the active standard that can be used for assessments.

Dates to Remember

  • March 31, 2022 – Official Release: PCI DSS v4.0 with validation documents.
  • Q2 2022 – ISA/QSA training and supporting documents.
  • March 31, 2024 – PCI DSS v3.2.1 retired.
  • March 31, 2025 – Future-dated new requirements become effective.

 

PCI Security Standards Council: PCI DSS v4.0 is Now Available:
Resources and Engagement Events

Examples of changes from PCI DSS v3.2.1 to v4.0

GOAL: CONTINUE TO MEET THE SECURITY NEEDS OF THE PAYMENT INDUSTRY

Security practices must evolve to continue to meet the security needs of the payments industry as threats change.
Examples of changes in v4.0:

  • Made new updates to multi-factor authentication (MFA) requirements.
  • Updated password requirements in-line with current industry best practices.
  • Added new e-commerce and phishing standards to address the ongoing threats.
  • Updated requirements for Sensitive Authentication Data (SAD) secure handling.
  • Added authenticated internal vulnerability scanning requirement for a greater insight into organizations vulnerability landscape.

GOAL: PROMOTE SECURITY AS A CONTINUOUS PROCES

Promote security as a continuous process as ongoing security is crucial to protect payment data
Examples of changes in v4.0:

  • Clearly assigned roles and responsibilities for personnel working on each requirement.
  • Added guidance across requirements to help organizations better understand how to implement and maintain security.
  • Added new reporting option to highlight areas for improvement and provides greater transparency for report reviewers.

GOAL: INCREASE FLEXIBILITY FOR ORGANIZATIONS USING DIFFERENT METHODS TO ACHIEVE SECURITY OBJECTIVES

Provide more options and different validation methods to increase flexibility for organizations to achieve security objectives and supports payment technology innovation.
Examples of changes in v4.0:

  • Allowed the use of group, shared, and public accounts with exceptions.
  • Introduced targeted risk analyses that empower organizations to determine the frequency of performing certain activities.
  • Introduced a new customized approach method to validate PCI DSS requirements, gives organizations another option to consider innovative methods to achieve their security objectives.

GOAL: ENHANCE VALIDATION METHODS AND PROCEDURES

Improve validation methods and procedures with Clear validation and reporting options to support transparency and granularity
Examples of changes in v4.0:

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment
  • Questionnaire and information summarized in an Attestation of Compliance

 

PCI Security Standards Council:
Click here for Document Library

 

Critical changes from PCI DSS v3.2.1 to v4.0

Methodological changes

  • Several small updates across the requirements with added Clarification or guidance
  • Introduction of Customized approach to offer additional requirement validation method to meet the requirement objective
  • Introduction of targeted risk analysis for various critical requirements
  • For Service Providers – Confirming PCI DSS scope at least once every 6 months and upon significant change to the in-scope environment

New requirements that may require major efforts/implementations

  • Stringent password and MFA (Multi-Factor Authentication) requirements
  • Mechanisms to detect and protect personnel against phishing attacks
  • Automated technical solution for public-facing web applications that continually detects and prevents web-based attacks
  • Automated mechanisms to review audit logs for all CDE and critical systems
  • Internal vulnerability scans via authenticated scanning

Where to find more information:

ControlCase is a global provider of certification, cyber security, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments. ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC 2 Type II, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT and FedRAMP.

Contact our team today to get started

Related Blog

Why PCI DSS 4.0 Should Be on Your Radar?
With the release of PCI v4.0, the countdown has started for organizations already PCI DSS Certified to transition from PCI DSS v3.2.1 to the new PCI DSS v4.0 standard. With the timelines of one year to prepare for v4.0 and two years to fully ready for v4.0 future dated requirements, it is time to assess readiness for PCI DSS v4.0 and establish a detailed plan to meet the requirements and timelines.
Aide-Mémoire PCI DSS v4.0
La norme de sécurité des données PCI (PCI DSS) a été établie en 2004 par les principaux émetteurs de cartes de paiement. Elle est maintenue par le Conseil des normes de sécurité PCI. Il fournit des exigences opérationnelles et techniques pour protéger les données des titulaires de cartes.
Quelles Sont les 12 Exigences de Conformité PCI DSS?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.
Log4j Vulnerability and how to remain PCI DSS Compliant
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.
How to define PCI DSS Scope?
When it comes to scoping for PCI DSS, many organizations struggle to understand where PCI DSS controls are required to be implemented and which systems need to be protected. Many organizations still have problems figuring out which systems are in PCI DSS scope and which systems are not.
What are the 12 requirements of PCI DSS Compliance?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.