menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose
home Insights

PCI DSS v4.0 is here – FAQ on compliance

Jonathan Sharpe, Sean McAloon
4/22/2024
A business woman using a laptop and holding a credit card to depict online payment with a digital security layer emphasizing PCI DSS v4.0 compliance

PCI DSS v4.0 went into effect on April 1 – are you ready? Our team answers your FAQ about the new standard.

The Payment Card Industry Security Standards Council (PCI SSC) issued version 4.0 of the PCI Data Security Standard (PCI DSS v4.0) in March 2022. The two-year adoption window ended on March 31, 2024, and all PCI DSS assessments performed now must follow v4.0 of the standard.

While many new requirements are future dated, companies need to address several significant changes immediately, including performing a comprehensive PCI scoping exercise. Conducting this exercise requires proper planning and significant time – which means the time to start is now. Our PCI team answered some of the most frequently asked questions about the new standard, including what to focus on now and what to consider for the future.

See how we can help your business prepare for shifting PCI requirements.
Discover our services
What are the important dates surrounding PCI DSS v4.0?

What are the important dates surrounding PCI DSS v4.0?

Because PCI DSS v4.0 is a significant upgrade from the prior version, the overall timelines for PCI DSS v4.0 became available for two years before transition. Here’s a look at the overall timeline of PCI DSS v4.0:

  • Q1 2022: PCI DSS v4.0 released
  • 2022-2023: Transition period from v3.2.1 to v4.0
  • March 31, 2024: PCI DSS v3.2.1 retired
  • March 31, 2025: Future-dated requirements effective
What immediate changes does an organization need to implement?

What immediate changes does an organization need to implement?

1. Definition of system components

With the ever-changing nature of technology, the definition of system components has undergone some clarifications and enhancements. Specifically, in PCI DSS v4.0 the definition has been expanded to include some system components that have not previously been included within scope. Newly considered systems include software deployment and configuration management tools such as:

  • Source code repositories
  • Continuous integration/continuous deployment pipeline tools
  • Infrastructure-as-code tools

While some companies might not have these types of technology in place currently, the systems are worth noting in case these technologies are used in the future. Also, applicable requirements have expanded for tools already in scope, including anti-malware tools, logging and security information and event management tools, and authentication and authorization tools.

2. Formal assignment of roles and responsibilities

PCI standards include 12 base requirements, and each one handles a different part of the payment cycle in the cardholder data life cycle. With PCI DSS v4.0, every one of those requirements now has associated roles and responsibilities, and all day-to-day responsibilities for PCI requirement activities must be formally assigned, either through policy and procedures or as a separately maintained assignment. Organizations in a complex environment might want to consider using a responsible, accountable, consulted, and informed (RACI) matrix for assignments. The intent here is to establish accountability for performance of all requirements throughout the standard.

3. Management’s scoping exercise

In the past, the annual confirmation of the PCI scope might have been performed only by an assessor as part of a PCI assessment. Now it must be performed independently by the assessed entity itself, separately from any scoping evaluation performed by the assessor. The scope from both the entity and the assessor should align, and any differences must be specifically noted in Section 3.1 of the report on compliance (ROC) executive summary. This is a separate requirement from simply maintaining an inventory of in-scope systems.

Elements of the requirement are:

  • Identify all data flows involving cardholder data.
  • Maintain and update data flow diagrams.
  • Identify all locations where account data is stored, processed, and transmitted.
  • Identify all system components that:
    • Are within the cardholder data environment (CDE)
    • Are connected to the CDE
    • Can affect the security of the CDE
  • Identify all segmentation controls, if applicable, including which networks are in scope and which are out of scope.
  • Identify third-party connections to the CDE.

This new requirement is meant to emphasize a proactive approach for ongoing internal PCI focus and encourage less reliance on the assessor.

How should an organization approach scope?

How should an organization approach scope?

Performing a comprehensive scoping exercise can be a significant effort, depending on the size of the organization. It’s important to define a consistent and repeatable methodology to complete that scoping.

1. What strategies can be used to identify scope?

While numerous publications cover determining scope, guidance on performing a scoping exercise is limited. Some actions to take in identifying the initial scope include:

  • Surveying employees to detect where cardholder data enters the organization, where it is stored, and where it leaves
  • Using data discovery tools to detect instances of cardholder data
  • Reviewing existing inventories of systems
  • Reviewing network and segmentation diagrams to identify key network segments, including ingress and egress points
  • Evaluating existing vendor management processes to identify vendors that might receive cardholder data and those that can affect the security of the organization

2. How should diagrams be approached as part of scoping?

A variety of data flow and network diagrams are required under PCI standards, including:

  • A data flow diagram that shows the flow of account data across in-scope systems
  • A network diagram that shows all CDE-related connections and highlights network security controls in place
  • A business process diagram that can highlight people-centric processes where cardholder data is handled by specific business areas and can be integrated into data flow diagrams

To determine the relevant data to capture for each of these diagrams, organizations can start by identifying:

  • Business processes and data flows involving cardholder data – both electronic and physical
  • Applications associated with business processes and downstream storage, processing, and transmission
  • Underlying application infrastructure
  • Security services and other functions provided to the in-scope systems
  • End-user computing devices involved in transmission of cardholder data or administration of in-scope systems
  • Network segments that contain in- and out-of-scope components as well as associated network components
  • Physical locations
  • Third parties involved at all points

3. What else should be considered when scoping?

While no single approach will be applicable for every organization, it’s important to evaluate the current scope reduction techniques and establish processes to make the right individuals aware of any scope changes. Consider the details required within the ROC executive summary as part of scoping and inventory management, including a business overview, network and data diagrams, account data flows, and in-scope components, networks, locations, and business processes.

What significant future-dated requirements should an organization be prepared for?

What significant future-dated requirements should an organization be prepared for?

1. Preventing relocation of primary account number (PAN)

A new requirement prevents the relocation of PAN when using remote access technologies. A change in policy or procedure will not achieve this requirement; prevention must be achieved via a technical control. This requirement is designed to prevent PAN from being moved to systems not designed for PAN storage and includes any remote technology that provides access to PAN – for example, remote or virtual desktops and secure socket shell sessions.

2. Targeted risk analysis

A new risk-based approach for certain requirements allows an entity to define the frequency of occurrence for certain controls. Targeted risk analyses are required to determine the frequency of controls and must be updated at least annually.

3. Protecting payment pages

Some new requirements are designed to further protect online payment pages from both malicious scripts and unauthorized modification. Scripts that are in use must be authorized and have their integrity validated, and methods must be in place to detect any changes to payment page contents and HTTP headers. These requirements are applicable to fully in-scope payment pages as well as payment pages that contain embedded payment forms, and they are designed to combat e-commerce skimming and payment page substitution.

Prepare for compliance

While some PCI DSS v4.0 requirements are not applicable yet, it’s important to make efforts now to demonstrate compliance by the time the requirements become effective. Companies might want to consider engaging with a third party that has a deep understanding of these requirements and can help create a specific and detailed plan for compliance.

Contact our team

Wondering how the new PCI DSS 4.0 standards affect your organization? See how we can help identify the right PCI compliance solution for your business.
Contact our team
Jonathan Sharpe
Jonathan Sharpe
Principal, IT Assurance
+1 317 208 2433
Profile
people
Sean McAloon
+1 214 777 5228
Contact our team