What are the key changes from PCI DSS 3.2.1 to PCI DSS 4.0?
Launched on 31 March 2022, version 4.0 of the PCI DSS contains several critical (and exciting!) changes to its predecessor (DSS v3.2.1 – released in May 2018).
Key changes as highlighted in the PCI DSS v4.0 at a Glance document can be summarised as follows:
Organizations must meet the evolving security needs of the payments industry
Organizations must continue to iterate and improve their security practices in response to the emerging and developing threat landscape.
Some examples of increased security practices within version 4.0 of the DSS include:
- Expanded multi-factor authentication (MFA) requirements.
- Updated password requirements (no more changing passwords every 90 days!).
- New e-commerce and phishing requirements to address ongoing threats (such as MageCart-type attacks).
Promote security as a continuous process
Since the release of DSS v3.2, organizations have been required to ensure that security practices are embedded within business-as-usual activities to ensure that security is a cultural and not a ‘tick box’ annual consideration. As with all compliance programs, it is important that activities are proactive in reducing risk opposed to the typically reactive nature of security compliance programs.
As we’ve seen throughout the recent pandemic and the upsurge in consumer card and e-commerce fraud, criminals never sleep and making sure compliance is embedded into an organization’s daily activities – and not simply a once-a-year activity – is crucial to protect payment data.
Some examples of a more continuous approach within version 4.0 of the DSS include:
- Clearly assigned roles and responsibilities for each DSS requirement.
- Added guidance to help people better understand how to implement and maintain security.
- An option to add further clarification in the reporting template to highlight areas for improvement and provide more transparency for report reviewers.
Increase flexibility for organizations using different methods to achieve security objectives
It is not uncommon when consulting with or assessing organizations for PCI DSS compliance to uncover requirements implemented for the sole purpose of achieving or maintaining DSS compliance. SureCloud’s QSA team often hears statements such as “the control is only there because that’s what the PCI DSS says.” It should be no surprise that such organizations frequently struggle to implement and maintain such controls appropriately.
By adopting more of a risk-based approach and increasing the flexibility for organizations to secure their environments with controls designed around their business, based on the specific threats they face, merchants and service providers have more options to meet a DSS requirement’s security objective. Of course, such flexibility also supports payment technology innovation.
Some examples of increased flexibility within version 4.0 of the DSS include:
- Allowance of group, shared, and generic accounts.
- Targeted risk analysis empowers organizations to establish frequencies for performing certain activities.
- A ‘customized’ approach to implement and validate PCI DSS requirements, providing another option for organizations using innovative or tailored methods to achieve security objectives.
Enhanced validation methods and procedures
Many organizations have struggled with PCI DSS validation efforts, often related to the disparate assessment and reporting tools employed across self-assessing and externally-audited entities. This position is improved through adapted validation and reporting options designed to support transparency and granularity for all merchant and service providers.
For example, the new validation tools will increase alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance which will help organizations to keep visibility and monitoring of their compliance activities.
As with any major release of a standard, DSS v3.2.1 will have a two-year sunset period to give organizations plenty of time to undertake any necessary control changes and transition to PCI DSS v4.0 by 31 March 2024.
Source: PCI DSS v4.0 at a Glance
Implementation of new requirements
In addition to the transition period outlined above, organizations will also have an additional year following the transition from v3.2.1 to v4.0 to implement new requirements initially identified within DSS v4.0 as best practice. After 31 March 2025, these requirements will be effective and must be fully considered as part of a DSS assessment.
What about your QSA?
As for QSA companies, QSAs will be required to undertake additional training to demonstrate their understanding of the new requirements and their appropriate implementation.
With differences of opinion on the implementation of PCI DSS requirements a long-standing issue within the QSA community, the newly structured ‘security intent’ of the DSS requirements aims to drive a better relationship between organizations and their QSA, whereby QSAs will be required to understand the intricacies of organizations CDE with the ability to achieve and maintain compliance using ‘customized validations’.