Implementing PCI DSS v4.0: What You Need to Know

Implementing PCI DSS v4.0: What You Need to Know

Are you ready for the new PCI DSS? In March 2022, The Payment Card Industry Data Security Standard (PCI DSS) v4.0 was officially released. Now the PCI Security Council has set March 31, 2024 as the deadline to retire PCI DSS v3.2.1 and transition to v4.0.This means that organizations should start preparing for the transition to PCI DSS v4.0… now! 

Understanding the scope of the changes and how they affect an organization is critical to preparing for this migration, and this article pulls together critical information to help you with understanding what’s new and establishing PCI programs, including: 

  • A Timeline for PCI DSS v4.0 Implementation
  • What Are the New PCI DSS Requirements and Which Requirements Have Changed?
  • Considerations When Selecting the Customized Approach v.s. Directed Approach
  • 7 Steps for a Successful Transition to PCI DSS v4.0

AuditBoard Community members can go a step further to learn how to perform the activities described below within AuditBoard — simply click here to join or login to AuditBoard Community for illustrative examples and additional guidance. AuditBoard Community members can also view the on-demand webinar, “A Year From 4.0 — Getting Ready for the New PCI,” for a deeper dive into the subject with a live demonstration of using CrossComply to manage the transition to PCI DSS v.4.0.

Why the Change to PCI DSS v4.0?

Technology is constantly evolving, which means that cybersecurity must evolve with it. PCI DSS provides security guidelines for merchants and service providers which transmit, process, and store cardholder data and authentication data. The PCI Security Standards Council, a coalition of the five largest credit card companies (American Express, Discover Financial Services, JCB International, Mastercard, and Visa), has worked to update PCI standards to adapt to changing needs and data security standards. The changes made in PCI DSS v4.0 represent this work. Four main drivers were considered when in the process of writing the 4.0 standard:

  • Continue to meet the security compliance management needs of the credit card payment industry
  • Promote security as a continuous process
  • Add flexibility for different methodologies
  • Enhance validation methods

PCI DSS v4.0 represents a fundamental change to how organizations can streamline PCI compliance: the ability to take a customized approach to compliance with specific requirements. For most requirements, organizations can now choose between the Defined Approach, which dictates specifics on how the requirement must be met and assessed, or the Customized Approach, which gives organizations the ability to implement their own process provided it meets the goal of the requirement. However, it’s important to note that certain requirements do not allow for the customized approach and organizations must meet such requirements as defined. This will be indicated in the PCI DSS by the following: “This requirement is not eligible for the customized approach.” This is indicated in the PCI DSS for each requirement that does not allow for the customized approach, illustrated in the example below.

Timeline for PCI DSS v4.0 Implementation

Organizations will have until March 31, 2024 to be assessed under either PCI DSS v3.2.1 or v4.0. However, as of March 31, 2024, v3.2.1 will be retired and all organizations will be assessed under PCI DSS v4.0. 

An additional deadline to be aware of for some new requirements under v4.0 is March 31, 2025. This is the deadline for organizations to fully implement requirements that are listed as “best practice” until March 31, 2025. The timeline below illustrates this phased implementation.

PCI DSS v4.0 Implementation Timeline

Source: PCI DSS v4.0 Implementation Timeline, www.pcisecuritystandards.org.

New requirements that fit this phased implementation are indicated in the PCI DSS under “Applicability Notes”, an example of which is included below. 

PCI DSS v4.0 Example Best Practice Requirement

Organizations should consider their current assessment cycles to determine when to begin the migration project from v3.2.1 to v4.0. For example, an organization that performs its assessments every December will need to have completed the migration to v4.0 prior to December 2024. However, an organization that performs its assessments every April will need to have completed the migration to v4.0 prior to April 2024. Organizations should also work with their assessor and their acquiring bank if performing QSA/ISA assessments to discuss additional considerations for the migration process.

The InfoSec Survival Guide: Achieving Continuous Compliance

Considerations When Selecting the Customized Approach v.s. Directed Approach

To make the decision on whether or not to use it for one or more requirements in the DSS, it’s important to understand how this approach works. How will it impact your organization if you choose to use it? 

This approach is intended to give organizations flexibility in how they meet one or more eligible requirements, provided they meet the intent of the requirement as stated in the Customized Approach Objective. As stated earlier, not all requirements are eligible for this approach and specific factors should be considered in deciding whether to use the customized approach:

  • Can only be used by organizations performing QSA/ISA audits. Organizations performing self-assessments using Self-Assessment Questionnaires (SAQs) may not use it.
  • Controls implemented are expected to meet or exceed the security provided by the requirement in the defined approach. 
  • Additional documentation and testing will also be required.
  • As testing procedures are not defined, organizations will need to work with their assessor to define suitable testing procedures.
  • Organizations may use a combination of the two approaches to meet a single requirement. For example, a technical control implemented across two disparate systems can use the customized approach for one system and the defined approach for the other.
  • Compensating controls may not be used with it.

Additionally, organizations will be required to perform the following for each customized control in every assessment cycle:

  • Document control information using the template in Appendix E
  • Perform a risk assessment using the template in Appendix E
  • Perform testing and document test results
  • Monitor and maintain evidence for the control
  • Provide the above to the organization’s assessor

Specific information on how the Customized Approach works is included in Appendix D and Appendix E of the PCI DSS.

After reviewing the above considerations, the overriding question for your organization becomes, “should we use the customized approach at all?” The answer to that question should be determined based on the following: 

  • Whether or not there are changes to your payment environment 
  • If any of the new/changed requirements for PCI DSS v4.0 cannot be met with the defined approach

In cases where there are no such changes, it likely makes sense for your organization to continue to use the same control activities you’ve used for v3.2.1.

What Are the New PCI DCS v4.0 Requirements and Which Requirements Have Changed?

The table below shows the specific requirements and sub-requirements that have changed and any new requirements that have been added, broken down by each high-level requirement. For complete details on the specific nature of each change, consult the “PCI DSS Summary of Changes v3.2.1 to v4.0″ on the PCI Security Standards Council website.

PCI DSS v4.0 New and Revised Requirements

Changes to PCI Documentation

The PCI Security Standards Council has updated supporting documentation to the new standard, which are publicly available. These updates include changes to the supporting Self-Assessment Questionnaires, which many organizations use to validate PCI DSS standard compliance. It’s important to ensure that you are using the correct SAQ based on when your assessment cycle occurs (see Timeline for Implementation section above).

7 Steps for a Successful Transition to PCI DSS v4.0

Due to the significant change to the PCI DSS scope, it’s important for organizations to start assessing compliance with v4.0 now. Starting the transition to v4.0 as early as possible will give you ample time to address any potential issues with new/changed requirements and to determine if it’s necessary to adopt the customized approach for any of them.

Consider the steps below to start your organization’s transition to v4.0:

  1. Assign a project lead to manage the transition to v4.0.
  2. Assess the current environment against the new/revised requirements in v4.0.
  3. Determine for which (if any) requirements your organization will be using the customized approach.
    1. Complete the necessary steps identified in Appendix D – Customized Approach in the PCI DSS for each requirement.
    2. Re-assess the requirements once all steps have been completed.
  4. Identify issues where new/revised requirements cannot currently be met and create a remediation plan.
  5. Reassess requirements as remediation activities are complete
  6. Connect with your organization’s QSA/ISA (if applicable) for any additional recommendations.
  7. Leverage published PCI SSC resources for additional guidance.
Sample Process Flow for PCI DSS v4.0 Adoption

Leveraging a compliance management solution can help add efficiencies to the transition process and manage open items through to completion.

Using CrossComply to Manage the Transition to PCI DSS v4.0

AuditBoard’s CrossComply can be used to streamline the transition to v4.0 by importing the new PCI DSS v4.0 requirements directly into your instance using the Unified Control Framework (UCF) integration, performing assessments/control testing, creating and managing issues through to remediation, and leveraging built-in dashboards for up-to-date information on the status of your PCI DSS v4.0 compliance project. 

AuditBoard Community members can go a step further to learn how to perform the activities described below within AuditBoard — simply click here to join or login to AuditBoard Community for illustrative examples and additional guidance. AuditBoard Community members can also view the on-demand webinar, “A Year From 4.0 — Getting Ready for the New PCI,” for a deeper dive into the subject with a live demonstration of using CrossComply to manage the transition to PCI DSS v.4.0.

Interested in learning more about how AuditBoard can be used across your organization? Reach out to our team to schedule a product demonstration today!

Alan

Alan Gouveia is Head of Customer Experience, CrossComply at AuditBoard. Alan has worked in the GRC and cybersecurity space for over 20 years across multiple industries and organizations of different sizes. He specializes in a collaborative approach to GRC and cybersecurity, showing customers how to work across the entire organization to achieve business goals. Connect with Alan on LinkedIn.