PCI DSS v4.0: The Transition Phase Is Over. What Will Change for You?

2. April 2024

On March 31, 2024, the previous version 3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS) expired. While companies were able to decide for themselves which version of the standard to base their PCI assessment on during the two-year transition phase, the guideline has been clear: since April 1, 2024, all assessments for the annual review of PCI DSS compliance must be carried out in accordance with version 4.0.

Are you facing your first PCI DSS v4.0 assessment this year? Are you wondering what will change for you? In this blog post, we give you a brief overview:

Are PCI DSS v4.0 assessments different?

No, the assessment process remains essentially the same. Planning, conducting and dealing with findings will not change with the new version. Our assessors will continue to start with a kick-off and may request initial documents as part of the assessment planning before the actual assessment is carried out. Assessments may continue to be carried out remotely, provided the environment under assessment allows it.

Most of the changes can be found in the relevant documentation, the evidences and, of course, in the requirements themselves.

Update of RoC and AoC

After successful completion of the assessment, your QSA will create a "Report on Compliance" (RoC) and an "Attestation of Compliance" (AoC) for you to prove compliance with the PCI DSS. These two documents have been revised as part of the new version 4.0, but their structure has remained the same. Your PCI assessor is already using the new templates, so there is no need for you to familiarize yourself with the revised documents.

More detailed evidence required

The RoC describes how the individual PCI DSS requirements are implemented in your company, i.e. the security situation, the environment, the systems and the protection of cardholder data in your company. It also documents how the PCI assessor proceeded when checking the respective requirement.

PCI DSS v4.0 will require more detailed evidence in the RoC from now on. Confirmation of compliance will no longer be sufficient, but references to specific configurations, screenshots or documentation will also be required. Example: While it was previously sufficient for your assessor to confirm that your company complies with the requirement for a minimum password length, the PCI DSS v4.0 RoC now requires proof that this is enforced.

New requirements

A total of 64 new requirements were introduced with version 4.0. Only a comparatively small number, specifically 13 requirements, have become mandatory as of April 1, 2024. These must be implemented in time for your next assessment if they have not already been implemented.

The remaining new security requirements in PCI DSS v4.0 are marked as "future-dated". The PCI Council has granted an additional year to implement these requirements. However, these must also be fully implemented as described in the standard by March 31, 2025 at the latest. Until these requirements officially come into effect, they count as best practice.

What does this mean for you? Your PCI assessor will discuss the status of implementation in the next assessment, but will only document recommendations rather than a finding in the event of non-compliance or insufficient compliance. While this might sound reassuring for now, we recommend that you start reviewing and implementing future-dated requirements in good time, as some of these will require quite some effort and have significant consequences.

The following future-dated requirements, for example, require extensive implementation:

  • Requirement 3.5.1.2: Disk encryption is only acceptable for removable media
  • Requirement 3.5.1.1: Hashing of PANs must use keyed cryptographic hashing algorithm
  • Requirement 3.4.2: Prevention of PAN copying while using remote-access technologies
  • Requirement 6.4.3, 11.6.1: Payment Page protection
  • Requirements 7.2.5, 7.2.5.1, 8.6.1-3, 10.2.1.2: Handling of technical accounts

"The first PCI certification according to the new standard is an important milestone for many companies," explains Torsten Schlotmann, Head of PCI Security Services at usd AG. "But we strongly advise addressing the future-dated requirements as soon as posssible since they present some major technical challenges. Take advantage of our blog posts, webinar recordings and upcoming webinars on PCI DSS v4.0 or get in touch with my team. We will support you, no matter where you stand."

Torsten Schlotmann

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories