All You Need to Know About PCI DSS Version 4.0
* This article provides a summary of the major changes in PCI DSS Version 4.0. The information is not intended to constitute and should not be taken as legal advice. For detailed requirements, please review the full document at PCI SSC.
The Payment Card Industry Security Standards Council (PCI SSC) is an international organization formed by Visa, MasterCard, American Express, Discover, and JCB, with the goal of enhancing payment card security across the globe. In 2004, the five card vendors established the Payment Card Industry Data Security Standard (PCI DSS), a regulation that mandates adequate security practices for businesses and organizations that process and possess consumers’ payment card data.
Due to the rapid evolution of cyberattacks and fast-evolving cybersecurity countermeasures, PCI DSS undergoes a revision once every couple of years. On March 31, 2022, the fourth version (v4.0) of PCI DSS was published, four years after the previous revision (v3.2.1) was released in May 2018, making it the longest gap between any two revisions.
PCI DSS v4.0 made some major changes with regard to the scope of cybersecurity practices to include more advanced cybersecurity tools and countermeasures. It has also strengthened many requirements to combat increasingly sophisticated cyberattacks.
— Key Terms —
SAD = Sensitive Authentication Data: information used for cardholder authentication, including passwords, PINs, CVV2s, and magnetic-stripe data
PAN = Primary Account Number: payment card number
CDE = Cardholder Data Environment: an IT system or networked group of IT systems that processes, stores, or transmits cardholder data or sensitive authentication data
PCI DSS v4.0, Major Changes You Need to Know
1. Greater Flexibility
All prior versions of PCI DSS mandate organizations to strictly follow every requirement as defined in the standard. However, as cybersecurity tools become increasingly automated, versatile, and diverse, PCI DSS v4.0 opens up some room for flexibility by giving organizations the option to use a “customized approach” to fulfill the requirements. This means that organizations can choose their own set of security measures that do not strictly match the defined requirements. Nevertheless, these measures must serve the same purposes and objectives as the defined requirements. And organizations must continuously monitor and maintain evidence about the effectiveness of each customized measure they take.
2. Automated Web Application Protection
PCI DSS v4.0 requires all organizations to deploy an automated cybersecurity solution to protect public-facing web applications, capable of detecting and preventing web attacks. This is a major leap from the previous version, which only required organizations to periodically review web applications via manual or automated vulnerability assessment tools and methods.
For those that do not have automated web application protection in place, the perfect solution is to adopt a third-generation web application firewall (WAF), which is a logic-based WAF that runs on AI-derived rules. These WAFs automatically monitor, detect, and block malicious traffic from entering via the application layer in real-time, proven to be highly effective at managing payment card security risks and preventing magecart attacks.
3. Stronger Identity and Access Management (IAM) with Multi-Factor Authentication (MFA)
PCI DSS v4.0 made some major changes to identity and access management (IAM) requirements. For instance, it has increased password length from a minimum length of seven characters to a minimum length of 12 characters. It also demands periodic reviews of account access privileges to minimize the risks associated with social engineering and privilege escalation attacks.
Changing passwords might seem like a trivial task, but more importantly, PCI DSS v4.0 brought in a new requirement to implement multi-factor authentication (MFA) for all access to the CDE (cardholder data environment). This means that any account with direct or indirect access to cardholder data and payment card information must be secured with at least two authentication methods.
For organizations that do not have an existing MFA system for their corporate user accounts, adopting an enterprise IAM platform with MFA features not only helps fulfill regulatory requirements by protecting the CDE, but also enhances security for all types of sensitive corporate information from legal documents and contracts to trade secrets and source code.
Lastly, PCI DSS v4.0 also bans the practice of hardcoding any passwords and passphrases into files or scripts, if these passwords can be used directly or indirectly (via single sign-on) to enter the CDE.
4. Stricter Encryption and Database Protection
PCI DSS v4.0 added several new requirements that demand stricter encryption on SAD (sensitive authentication data), including SAD that are temporarily stored in the system prior to the completion of payment authorization. Moreover, PCI DSS v4.0 requires encryption to be applied on PAN (primary account number) both on removable and nonremovable electronic media.
Choosing the optimal encryption technique for each environment can be difficult. For organizations that manage PAN on different locations and databases, adopting a database encryption solution with multiple encryption technologies can help make encryption easily manageable.
Preparing for the Next Generation of Cyberattacks
Understanding PCI DSS requirements isn’t just about compliance. Every time PCI DSS receives a version update, it indicates a major shift in cyberattack patterns and security countermeasures. Hence, organizations should treat this as an opportunity to re-evaluate their security practices and arm themselves for a new generation of cyberattacks.
For more information on security implementation, check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security
For detailed inquiries, contact Penta Security’s security consulting team.