Any organisation - regardless of its location, size, or transaction volume - that processes, stores, or transmits cardholder data, must comply with the Payment Card Industry Data Security Standard (PCI DSS).

The standard provides a foundational set of technical and operational requirements designed to protect account data. It thus empowers organisations to protect their customers’ financial and personal data, including their names, Primary Account Numbers (PAN), and credit card numbers.

First created in 2004, PCI DSS has undergone numerous revisions over the years, with its most recent version 4.0 issued in March 2022. And although the core objectives regarding payment data protection remain, the speed at which payment technologies and processes have evolved in the last almost two decades has necessitated a number of changes in the ‘how’.

In this article, we’ll take a look at the most recent changes made between v3.2.1 to v4.0 and how organisations need to factor them into their ongoing security, improvement and compliance processes.

Goals for Creating PCI DSS v4.0

The PCI Security Standards Council (PCI SSC) creates, enforces, and updates the PCI DSS. To guide the creation of v4.0, the council set the following goals:

  • Ensure that PCI DSS continues to meet the security needs of the payments industry.
  • Promote security as a continuous process.
  • Add more flexibility by allowing organisations to use additional/customisable methodologies to achieve their security objectives.
  • Enhance validation methods to increase reporting transparency and granularity.

These objectives were driven by industry feedback and calls to provide new controls that can help organisations address sophisticated cyberattacks and reliably protect payment data.

The Transition from PCI DSS v3.2.1 to v4.0

PCI DSS v4.0 replaces v3.2.1, which was released in May 2018. Nonetheless, v3.2.1 will remain operational for two years until March 2024 when it will be retired. This transition period is meant to help organisations familiarise themselves with v4.0, providing them with sufficient time to update their reporting infrastructure and seamlessly implement the changes to achieve compliance by 31st March 2025, the cut-off date when all organisations beholden to PCI DSS must have implemented v4.0.

In addition to updating the standard, the PCI SSC published new supporting and validation documents to its document library. These include:

  • Revision 1 of the Summary of Changes from PCI DSS v3.2.1 to v4.0.
  • v4.0 Compliance Report (ROC) template.
  • ROC Compliance Certifications (AOC).
  • Frequently Asked Questions (FAQs).

Also, the main document was renamed Payment Card Industry Data Security Standard: Requirements and Testing Procedures. In around Q2 of 2022, supporting and training documents for Internal Security Assessors (ISA) and Qualified Security Assessors (QSA) will be released.

What’s New in PCI DSS v4.0

In PCI DSS v4.0, the 12 core requirements from v3.2.1 remain intact. However, the new version expands these requirements into several new areas to incorporate industry feedback and the latest best practices.

The aim is to enable organisations to protect cardholders’ data by modernising their security infrastructure, strengthening their defences against many kinds of cyberattacks, and maintaining a robust information security policy.

The most significant changes in v4.0 are in the following areas:

Security

v4.0 sets higher security standards to match the industry consensus that new security methods are required to address new threats and risks. It implements new e-commerce and phishing standards and includes guidance to help companies better understand how to implement and maintain security. Top management should allocate more funds and empower their delegates in charge of implementation to enact these new requirements accordingly.

Authentication

PCI DSS v4.0 is built with a zero-trust mindset. It provides additional guidance regarding Multi-Factor Authentication (MFA) to strengthen access to payment and control processes. It also implements the use of a 3DS Core Security Standard upon transaction authorisation. Not only are MFA requirements more stringent in v4.0, but companies can also build their own authentication standards to meet their transaction objectives and data security regulatory requirements in addition to the heightened MFA focus. The new version also focuses on NIST/Password Guidance, with updates made to password requirements as a result. For instance, it stipulates that passwords must be changed at least once every 12 months and contain at least 15 characters. It also requires organisations to compare all prospective passwords against a list of known bad passwords.

Flexibility and Customisation

For organisations using different methods to achieve their security goals, v4.0 provides several new best practices and requirements. It provides permissions for group, shared, and public accounts. In addition, it supports a customised approach to enforcing and validating requirements.

This is one of the key differences between v4.0 and earlier versions that were more specific and prescriptive. While v4.0 keeps the previous prescriptive method for compliance, it replaces compensating controls with customisable implementation. Thus, companies can either perform the control as prescribed or design their own customised controls without needing to provide operational or technical justifications.

Encryption

The new standard adds a new requirement that disk-level or partition-level encryption should be used only to render the PAN unreadable on removable electronic media. It also includes a requirement to encrypt electronically stored Sensitive Authentication Data (SAD) before authorisation is completed.

In addition, v4.0 addresses the issue of malicious code that allows attackers to retrieve cardholder data. It also provides insights and best practices on how companies can protect network transmissions.

Risk analysis

PCI DSS v4.0 provides additional guidance on conducting risk analyses so that organisations can set the frequency of security activities. These analyses are primarily used as part of the compensating control worksheet. The new version provides a Sample Targeted Risk Analysis Template, with additional information on how the PCI SSC expects organisations to carry out risk analyses.

Testing

Companies may be required to conduct critical control testing to comply with v4.0. Both the level of critical control testing and the amount of testing required are higher in v4.0.

For a more comprehensive view of all these changes, review the Summary of Changes document here.

Secure Coding training

PCI DSS v4.0 adds new requirements for secure coding training. This training must ensure trainees are more aware of the threats and vulnerabilities that may affect the security of the cardholder environment (CDE). The programme must also improve practitioner awareness of the acceptable use of end-user technologies. In addition, companies must review these training programmes at least every 12 months and update them as required.

Secure Coding Training Requirements in PCI DSS v4.0

Since Secure Coding Training is such an important aspect of PCI DSS v4.0, organisations must invest in the right training partner and programme. However, old-fashioned training methods that rely on videos, slides, static quizzes, or outdated examples, are far from sufficient to meet the new training requirements articulated in PCI DSS v4.0.

Effective training programmes are practical, hands-on, and up-to-date. They empower developers to understand the evolving threat landscape and to identify new threats and vulnerabilities in payments environments. The right programme will walk them through how to avoid and fix common coding vulnerabilities by enabling them to test the exploit and write the fix in a real environment by doing - fixing real software with real code - not by merely seeing and recycling answers on a multiple-choice form.

SecureFlag offers such secure coding programmes. With SecureFlag, developers learn how to identify and remediate threats and vulnerabilities through 100% hands-on exercises. These exercises are delivered in a real-world simulated environment that’s created on-demand and accessed through a familiar web browser to minimise onboarding time.

To solve these exercises, developers use the tools they already know and are comfortable with. This additional familiarity enables them to meet their learning objectives and easily apply the lessons to their everyday duties for tangible and beneficial results. SecureFlag also provides individual learning paths for customised learning that matches each learner’s background and skills level.

Reach us to know more about SecureFlag’s industry-leading secure coding programmes.