PCI DSS 4.0: What You Need to Know

The Payment Card Industry Data Security Standard (PCI DSS) has been updated to version 4.0, with requirements taking effect in 2024. This major update brings significant changes that will impact any organization that stores, processes or transmits cardholder data. Here's what you need to know about PCI DSS 4.0 and how to prepare.

What is PCI DSS?

PCI DSS is a set of security requirements designed to ensure that companies securely accept, transmit and store cardholder data. It was created by the major credit card brands (Visa, Mastercard, American Express, Discover and JCB) to protect cardholder information and reduce fraud.

Compliance with PCI DSS is mandatory for any merchant or service provider that stores, processes or transmits payment card data. Requirements cover areas like data encryption, access controls, monitoring, and policy development.

Organizations are required to undergo annual PCI DSS assessments by qualified security assessors to verify compliance. Failure to comply can result in fines and loss of the ability to process credit card payments.

Key Changes in PCI DSS 4.0

PCI DSS 4.0 includes several important updates to the standard, including:

• Expanded multi-factor authentication (MFA) requirements. MFA will be required for any access to cardholder data, as well as for administrative access to payment systems.
• Improved software security requirements. Vendors must provide a Software Bill of Materials for applications to help merchants manage vulnerabilities. Secure coding practices must be followed.
• Mandatory use of password managers for privileged users. This ensures strong, unique passwords are used.
• Greater emphasis on modern cybersecurity principles. New requirements focus on issues like perimeterless networks, DevOps, and cloud environments.
• Regular penetration testing. Merchants must test all in-scope systems for security vulnerabilities at least once per year.
• Changes to key management requirements. Cryptographic keys must be actively rotated based on modern protocols.

How to Prepare for PCI DSS 4.0

With the 2024 compliance deadline approaching, merchants and service providers should begin preparing now. Here are some key steps to take:

• Review the new PCI DSS 4.0 requirements in detail. Identify any gaps in your policies, procedures, and technical controls.
• Develop a plan and timeline to update systems to align with PCI DSS 4.0. Priority areas are MFA, software security, passwords, and penetration testing.
• Evaluate your technology vendors. Ensure they will support PCI DSS 4.0 requirements as part of their solutions.
• Allocate budget and resources for PCI DSS 4.0 readiness over the next year. Significant changes may be required.
• Train staff on new PCI DSS 4.0 protocols as changes are implemented. Education is key for ongoing compliance.
• Work with your Qualified Security Assessor for guidance if you have questions about requirements.

Staying compliant with PCI DSS is essential for any business that handles payment cards. Following these steps will help you upgrade your policies, processes and technology to meet PCI DSS 4.0 requirements on time. Reach out for assistance to ensure you are fully prepared.