Introducing the Payment Card Industry Data Security Standard (PCI DSS) v4.0. 

On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) published an update to its global security standards for protecting account data. Released almost four years after its predecessor, PCI DSS 3.2.1, this latest version introduces new structures, evolving requirements, and updated guidelines.  

In this article, we explain the impact PCI DSS v4.0 will have on different organizations, and how to measure and accelerate your own compliance progress.

Watch our LinkedIn Live session for a first-hand account of managing PCI DSS compliance. 

4 goals of PCI DSS v4.0

PCI DSS v4.0 heralds the next evolution in payment security, designed to bring the globally accepted standard up to speed with today’s emerging threats and technologies.

More than 6,000 items of feedback and 200 companies contributed to the development of the new standard. Based on these real-world insights, PCI DSS v4.0 outlines its four main goals:

1. Continue to meet the security needs of the payment industry

Why it’s important: Evolves security processes to protect against emerging threats 

Examples:

• Expanded multi-factor authentication requirements
• Updated password requirements
• New ecommerce and phishing requirements to address ongoing threats

2. Promote security as a continuous process

Why it’s important: Establishes ongoing security to protect payment data 

Examples:

• Clearly assigned roles and responsibilities for each requirement
• Added guidance to help people better understand how to implement and maintain security

3. Add flexibility for different methodologies

Why it’s important: Promotes flexibility and technology innovation in achieving security objectives

Examples:

• Allowance of group, shared, and generic accounts
• Targeted risk analyses empower organizations to establish frequencies for performing certain activities
• Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives. 

4. Enhance validation methods and procedures

Why it’s important: Supports transparency and granularity in validation and reporting processes

Examples: 

• Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

   

When does PCI DSS v4.0 go into effect? 

PCI DSS v4.0 is already in effect, following its official release date on March 31, 2022. 

Given the significant changes, entities have two years to transition to the new standard. 

Here are the important dates to keep in mind: 

• March 31, 2022: PCI DSS v4.0 was released 
• March 31, 2022 - March 31, 2024: Both PCI DSS v4.0 and 3.2.1 are active and can be used for assessments
• March 31, 2024: PCI v3.2.1 will be retired and entities are given one year to transition to the new standard
• March 31, 2025: Entities must be fully compliant with PCI DSS v4.0 

Difference between PCI DSS v3.2.1 and v4.0

Like previous versions, the new standard includes a list of 12 principal PCI DSS requirements tied to six key objectives. However, PCI DSS v4.0 has made substantial changes to the requirements, broadening the scope in response to the evolving payment landscape. 

The table highlights key differences between the main requirements in PCI DSS v3.2.1 vs. PCI DSS v4.0:

Under the 12 principal requirements, PCI DSS v4.0 introduces 64 new sub-requirements — 13 that should be implemented immediately for any PCI DSS v4.0 assessments (or at least by March 31, 2024), and the remaining 51 requirements to be enforced by March 31, 2025.

New ways to validate PCI DSS v4.0 compliance

A significant shift in PCI DSS v4.0 is its focus on outcomes rather than strict protocols. As long as an entity satisfies the standard’s requirements and objectives, it can implement security controls better suited to its operations.

The new standard allows entities to choose between a defined and customized approach to PCI DSS compliance: 

Defined approach: The traditional approach used to comply with PCI DSS. An entity implements the specific security controls and requirements as defined in the published standard, after which an assessor follows the standard testing procedures to verify all requirements are met. 

Customized approach: The new approach that allows entities to comply with PCI DSS using innovative approaches or technologies not strictly defined by the standard. As every entity’s customized approach is different, assessors will also need to develop unique testing procedures to verify the customized controls meet required objectives. 

PCI DSS v4.0 also allows entities to take a hybrid approach, using the defined approach to meet some requirements and the customized approach to meet other requirements. Even a single requirement can be split across both approaches, as long as the overall security objective of the requirement is met. Note that some requirements explicitly can’t be met using the customized approach.

A customized approach is recommended for risk-mature entities that can effectively design, document, test, and maintain security controls to meet PCI DSS requirements. “Yes, they’re giving you a free hand to customize some controls, but you have to perform a risk analysis at least every 12 months that’s approved by senior management. You need to see what could go wrong and how you can fix it to still meet the control objective,” says Juthani.

6 steps to prepare for PCI DSS v4.0

The day PCI DSS v4.0 is fully enforced will be here in no time. The sooner you start to prepare for the new standard, the smoother it will be to achieve compliance. Follow these six steps to get your teams and systems ready for PCI DSS v4.0:  

Step 1: Create a transition plan

A clear transition plan gives your team time to properly implement the controls needed for PCI DSS v4.0 compliance. Understand what the standard entails, assess the controls you have and don’t have in place, and determine the necessary resources and steps to address any gaps in your security posture.

Step 2: Review potential changes to scope

Even if you’re familiar with PCI DSS v3.2.1, there’s are several changes that come with the new standard. For example, Requirement 3 has been expanded to not just protect account data, but all account data including PINs, card validation codes, and security-related information. Considerable changes like this make it critical to reevaluate the scope of your compliance operations. 

Step 3: Conduct a people and process evaluation

PCI DSS v4.0 shifts security from being a point-in-time exercise to a continuous state of compliance. This involves engaging and training not just one team, but the entire organization to foster a security mindset. Everyone that deals with account data should understand the PCI DSS objectives, requirements, and why specific controls are implemented in daily operations.

Step 4: Assign clear roles and responsibilities

The new standard requires anyone interacting with your cardholder data environment or account data to be assigned clear roles and responsibilities. These roles should further be defined, communicated, and acknowledged by the individual. Getting all stakeholders on the same page can clear up any confusion about the transition and contributes to passing your PCI DSS assessment. 

Step 5 (Recommended): Validate your customized approach

If your organization chooses a customized approach, you need to ensure its controls can sufficiently meet PCI DSS objectives. A targeted risk analysis is required every 12 months to help determine how often a specific control or activity should be done to maintain a certain level of risk.

(A targeted risk analysis isn’t mandatory in the defined approach, but it is recommended to help entities identify appropriate risk and mitigation strategies.) 

Step 6: Integrate PCI DSS into business-as-usual practices

“You don't want to only look at PCI when an audit period is coming up. PCI requirements and controls should be part of your business-as-usual activities and strategic discussions,” says Juthani. “If you’re going through controls every single day, they become part and parcel of your operations and help reduce the risk of security incidents and breaches.” 

Fast-track to PCI DSS v4.0 compliance

“Key areas where we see clients, prospects, and businesses in need of optimization are in the implementing and assessing readiness and monitoring phases. A huge piece of that puzzle is related to content and context — from helping people scope and identify their security posture against a particular framework to providing out-of-the-box policies you can adapt to your organization,” says Kaitlyn Archibald, Sr. Product Marketing Manager, GRCP at OneTrust. 

Organizations that prioritize automating their security processes see a significant reduction in both time and effort. For example, the average customer using OneTrust Certification Automation to manage policies and implement controls is able to reduce their time to PCI DSS compliance from 14-18 months to 5-7 months. 

Learn more about how Certification Automation helps you build, scale, and automate your security compliance program. Reduce your cost of compliance up to 60% and obtain certifications 50% faster.