How will the key changes introduced by PCI DSS 4.0 impact businesses that accept credit cards?

Technology is constantly evolving — and so are the standards to protect sensitive data and information. The Payment Card Industry Security Standards Council (PCI SSC) has recently released their new global Payment Card Industry Data Security Standard (PCI DSS), or PCI DSS 4.0. This new standard is intended to provide a baseline for the technical and operational requirements designed to protect account data. What does that mean for Canadian businesses that accept payment cards?

The updated requirements will introduce new considerations for businesses across all industries. Let’s review the changes, timelines, and actions your organization can take to transition to PCI DSS 4.0 and comply with the new standard successfully.

What is PCI DSS?

PCI DSS is an information security standard developed and administered by the Payment Card Industry Security Standards Council to reduce fraud and protect cardholder data. It applies to all entities that store, process, and/or transmit cardholder data.

Compliance with PCI DSS is a contractual agreement between the business and its acquirer — or the financial institutions that initiate and maintain relationships with merchants that accept payment cards. Validation of compliance is performed on an annual basis.

Why was PCI DSS 4.0 introduced?

The PCI SSC updated the Data Security Standard to include new and evolving technologies that the previous version did not consider. These changes will help the payment card industry keep pace with rapid technological advancements and address evolving threats.

The PCI SSC incorporated feedback on the evolving payment industry from participating organizations to create PCI DSS 4.0. The new version includes expanded requirements and improved verbiage to make the standards clear for all involved parties. It also aims to provide greater flexibility and support a customized approach toward meeting the new compliance standard.

What are the timelines for PCI DSS 4.0 compliance?

While PCI DSS 4.0 is currently active, PCI DSS version 3.2.1 will be retired as of March 31, 2024, and can no longer be used in assessments. Additionally, PCI DSS 4.0 contains future-dated requirements that come into effect on March 31, 2025. Assessments conducted after March 31, 2025, will include all requirements.

This is intended to give organizations the time to understand the changes in PCI DSS 4.0 and implement updates to meet the new requirements. It is essential to evaluate and update your security measures and controls as soon as possible to ensure compliance with the new standard.

What are the key changes in PCI DSS 4.0?

PCI DSS 4.0 introduces many changes to mitigate new and emerging risks in the payment card industry landscape. Several of the most impactful changes to keep in mind as your organization transitions to PCI DSS 4.0 compliance include:

Targeted risk analysis

PCI DSS 4.0 will require your organization to complete targeted risk analysis that covers threats, risks, and mitigations. The new requirement includes documenting the targeted risk analysis for each requirement that specifies a control frequency.

Credentialed scanning

The new standard will require in-depth credentialed scanning to improve security and identify potential system vulnerabilities. This may expose more vulnerabilities than previous scans and require more time to complete risk remediation. Additionally, organizations will need to ensure the credentials used for the scanning are securely managed.

Automated log review

PCI DSS 4.0 introduces and clarifies the requirements for automated log review mechanisms. The new standard will require the constant monitoring of systems to detect and respond to any potential security issues in a timely manner.

Key and certificate inventory

The updated standard will require your organization to maintain a clear inventory of cryptographic keys, key custodians, and applicable expiry dates. It will also require your organization to maintain an inventory of certificates that includes the issuing authority, date, and validity period.

Scope clarification

PCI DSS 4.0 emphasizes accurately defining the scope of your organization’s cardholder data environment (CDE). This includes validating your infrastructure, documenting locations and data flows, security authentication systems, and more to ensure the scope of your CDE is clearly defined.

eCommerce control

Your organization will need to update its eCommerce controls to align with PCI DSS 4.0. These updates will focus on ensuring the integrity and safety of third-party scripts to prevent hacking attacks by implementing mechanisms to identify unauthorized modifications.

Customized approach

Entities with demonstrated maturity in adhering to PCI DSS requirements have the option to adopt a customized approach to comply with PCI DSS 4.0. This approach allows entities to implement controls to meet the stated requirements in a way that does not strictly follow the defined requirement.

Each customized implementation will be different and there are no defined testing procedures. However, the assessor is required to derive testing procedures that are appropriate to the specific implementation to validate that the selected controls meet the stated PCI DSS objectives.

This approach allows for greater flexibility in meeting PCI DSS objectives and supports innovation in security practices. However, a customized approach also requires more documentation to demonstrate compliance with PCI DSS 4.0 requirements. 

How can my organization ensure compliance with PCI DSS 4.0?

Depending on the size and complexity of your environment, your organization may need to make considerable adjustments to its security measures and controls to comply with the new PCI DSS 4.0 requirements. We’ve summarized several key areas to focus on during the transition period to help ensure your organization meets the new requirements by the March 31, 2025, deadline:

Review the new requirements

It is essential to conduct a thorough review of the new requirements before your organization begins to implement the changes introduced by PCI DSS 4.0. This will help you fully understand each requirement and identify where changes need to be made in your security measures and controls to ensure compliance with the new standard.

Take a phased approach

A phased approach can help your organization introduce the changes required to align with PCI DSS 4.0 standards strategically and effectively. Breaking down the process into manageable stages such as risk prioritization, resource allocation, and employee training can help your organization track its progress toward aligning with PCI DSS 4.0 standards. 

Perform a gap analysis

A gap analysis can help your organization assess the current state of its security practices, identify any deficiencies, and determine where to prioritize your efforts to mitigate the most critical security risks in compliance with PCI DSS 4.0. It will also help you create a compliance roadmap and allocate your resources to ensure your security measures align with the new requirements.

Work with a third party

A third-party advisor such as a Qualified Security Assessor (QSA) can provide guidance and support to your organization during the transition to PCI DSS 4.0. They can work with your organization to help you understand the new requirements as well as provide guidance and recommendations on how to comply with PCI DSS 4.0. Additionally, the third party can perform a gap analysis, documentation updates and mapping, and more to help your organization comply by the deadline. 

Start early

While the deadline may seem far away, it is essential to begin preparing for the changes introduced by PCI DSS 4.0 now. This will help your organization overcome challenges that may surface during the implementation and validation of the new requirements and ensure you achieve compliance.

Take the next steps toward PCI DSS 4.0 compliance

PCI DSS 4.0 will introduce many changes to your organizational systems and controls to increase the security of your sensitive payment data and information, including:

• Targeted risk analysis — Complete targeted risk analysis that covers threats, risks, and mitigations.
• Targeted risk analysis — Complete targeted risk analysis that covers threats, risks, and mitigations.
• Credentialed scanning — Improve security, identify potential system vulnerabilities, and complete risk remediation.
• Automated log review — Constantly monitor systems to detect and respond to potential security issues.
• Key and certificate inventory — Maintain a comprehensive inventory of cryptographic keys and certificates.
• Scope clarification — Accurately define the scope of your organization’s cardholder data environment.
• eCommerce control — Update eCommerce controls to ensure the integrity and safety of third-party scripts.
• Customized approach — In some cases, entities may opt to develop a customized approach to comply with PCI DSS requirements. 

Performing a gap analysis, taking a phased approach, and working with a third party can help ensure your organization meets the new compliance requirements. It is essential to start early to give your organization enough time to address any challenges that may arise while you implement the new security measures.

If you need support to assess whether your controls and security measures align with the new requirements introduced by PCI DSS 4.0, contact a member of MNP’s Cyber Security and Privacy Services. Our team will work with you to set a security and privacy baseline, identify your top threats, and define resilience tactics to effectively future-proof your organization.