PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on January 1, 2025. The sunset date for version 4.0 is therefore imminent. In this blog post, we have summarized what you need to consider in this context and which other deadlines you should be aware of.
Version 4.0 says goodbye, the future-dated requirements remain
New requirements were introduced in version 4.0, some of which have a separate deadline as “Future-Dated Requirements”: These new requirements will only become mandatory from 01.04.2025. Until then, their implementation is merely recommended as best practice.
You can find everything you need to know about future-dated requirements in our news blog:
https://www.usd.de/en/pci-dss-future-dated-requirements/
and on our YouTube channel:
Nothing really changes with 4.0.1. Or does it?
In version 4.0.1, the PCI Council has incorporated feedback and queries from the Board of Advisors, the Global Executive Assessor Round Table and leading participating organizations. In particular, the objectives and intentions behind certain requirements have been clarified.
Does this have any impact on the measures implemented as part of 4.0.1? Our experienced PCI QSAs have taken a close look at the standard and summarized the most important hidden innovations for you here:
Requirement 3.5.1.1
This requirement stipulates that stored PANs must be rendered illegible. According to PCI DSS v4.0.1, this can now be solved using a customized approach (“Cleartext PAN cannot be determined from hashes of the PAN.”). Instead of using keyed cryptographic hashes, alternative solutions can be used that fulfill the same purpose, such as hashes with secret salts. It is important that all key management processes continue to apply.
Requirement 3.5.1.2
This requirement states that encryption of PANs at hard disk or partition level is not permitted, except for removable media. A new customized approach now allows alternative methods that were previously not possible. In addition, all encryption methods that display PANs in plain text without prior authentication must comply with the new requirements.
Requirement 8.4.2
Requirement 8.4.2, new in PCI DSS v4.0, requires multi-factor authentication for all access to the cardholder data environment (CDE), whereas previously this only applied to administrative access. Version 4.0.1 specifies that this does not apply to console access and that the requirement does not apply if phishing-resistant authentication factors such as FIDO2 are used.
Requirement 6.3.3
Requirement 6.3.3 (version 4.0.1) stipulates that updates for critically classified vulnerabilities must be installed within one month. In version 4.0, this deadline applied to both highly and critically classified vulnerabilities.
Requirement 9.3.4
The new physical security regulation requires separate visitor logs for facilities and sensitive areas that store credit card data. Previously, only one common log was required. For example, a visitor log must be kept for both entry to a building and access to a server room if credit card data is stored there.
Do you need help preparing for or implementing PCI DSS v4.0.1 in your company? Get in touch - our experts are happy to help.
