Whether you’re a large conglomerate shifting large volumes of funds daily or simply a small business owner, you would want to ensure your payments and transactions are secured to the highest standard.

This is where the PCI Data Security Standards (PCI DSS) come in, standardising the technical and operational requirements to protect payment data across all industries.

Spearheaded by the Payment Card Industry Security Standards Council (PCI SSC), the PCI DSS undergoes regular reviews and updates to stay relevant to the ever-evolving technology and threat landscapes.

The most recent update — v4.0 — was rolled out two years ago on March 31, 2022, four years after its predecessor, v3.2.1. Shaped by over 6,000 items of feedback derived from 200 companies, v4.0 emphasises the importance of treating security measures as a continuous process.

Given how crucial PCI DSS v.4.0 is to the payments industry, this article will dive into its mechanics, showcasing how it sets itself apart from its predecessor to bolster the security of payments today.

How has PCI DSS v4.0 changed from PCI DSS v3.2.1?

To better understand PCI DSS v.4.0, it is imperative to learn how it sets itself apart from its predecessor, v3.2.1. Below are the key changes introduced with the advent of PCI DSS v4.0:

PCI DSS v4.0 is centred around meeting the shifting security needs of the payment industry.

The world of payments is constantly in flux, and this means the needs of the payments card industry will always evolve. Add to the equation the innovation of new technologies, and it becomes all the more important for PCI DSS to adapt to every change.

Specific to v4.0, PCI DSS introduced the following updates to improve upon v3.2.1:

Multi-factor authentication and password protection: Beyond just administrators in v3.2.1, PCI DSS v4.0 made multi-factor authentication mandatory for all users accessing the cardholder data environment. The minimum password length has also been increased from 8 to 12 characters, making passwords more difficult to guess.

Furthermore, v4.0 eliminates the need to change passwords every 90 days. This gives organisations the flexibility to deploy dynamic analysis to access resources automatically.

Security awareness requirements: PCI DSS v4.0 made security awareness training more stringent by implementing specific threats and vulnerabilities into training programmes. These programmes are subject to change, depending on how the payments ecosystem and its associated risks evolve.

Apart from changing the structure of training programmes, policies pertaining to the acceptable use of end-user technology have also been added. This encompasses the access and use of workstations, alongside the consequences of not adhering to acceptable-use policies.

E-commerce requirements: One of PCI DSS v4.0’s biggest changes, e-commerce requirements have introduced stricter measures in managing and handling scripts within payment pages.

These requirements make it mandatory to implement a change-and-tamper mechanism that monitors, detects, and alerts administrators when unauthorised changes are made to payment pages.

With these measures in place, it is possible to swiftly detect hacking activities, such as injecting code into payment pages to hijack cardholder forms and redirecting consumers to malicious websites.

PCI DSS v4.0 promotes security as a continuous process.

Besides anticipating prevailing security trends in the payment industry, PCI DSS v4.0 aims to support long-term and continuous processes to protect payment data.

A key issue among many organisations today is that they only implement PCI compliance protocols to pass the necessary assessments. These organisations deprioritise PCI DSS upon receiving their certifications until their next assessment. This means they do not perform routine reviews throughout the year, often leading to failure to comply with PCI requirements.

It is not uncommon for auditors to draft a compensating control as a countermeasure, demonstrating how their organisation would go the extra mile to accomplish said control in the following year.

To further emphasise continuous security measures, PCI DSS v4.0 zooms in on scoping, a critical process that was previously overlooked. Scoping the cardholder data environment ensures all applicable resources, personnel, and security controls are included in the scope of the audit.

With PCI DSS v4.0, organisations must review and document their PCI DSS scopes throughout the year to ensure they stay up-to-date with PCI DSS requirements.

PCI DSS v4.0 also seeks to assign greater responsibility to the organisation by mandating dedicated personnel to take charge of security controls and indicating who is in charge.

PCI DSS v4.0 flexibly accounts for different methodologies.

To ensure more organisations prioritise security as a continuous process, PCI DSS v4.0 provides them with the flexibility to select security controls most applicable to their business and security needs.

Risk management is a key area that has been rehauled in PCI DSS v4.0. Previously in v3.2.1, organisations had to perform full annual risk assessments on top of daily, quarterly, bi-annual, or annual interval tests. v4.0 streamlines this process to a significant extent; while full risk assessments must still be done annually, organisations can now define the frequency of their interval tests according to their needs.

PCI DSS v4.0 also introduced a more customisable approach as an alternative for organisations to meet security requirements. This approach equips organisations with the flexibility to meet PCI DSS’s security requirements via new technology and innovative controls.

To validate that the customised controls comply with PCI DSS requirements, the assessor will review the organisation’s customised approach documentation before developing a validation process. While this customised approach requires additional work and documentation from the organisation, it may be preferred by some mature organisations that have tighter security policies of their own.

PCI DSS v4.0 enhances validation methods.

Finally, PCI DSS v4.0 enhances validation methods and procedures to support transparency and granularity. Specifically, v4.0 promotes greater alignment between information reported in a Report on Compliance (RoC) or Self-Assessment Questionnaire and information summarised in an Attestation of Compliance (AoC). With a more consistent exchange and flow of information, validation and reporting options are defined with increased clarity.

v4.0 has undergone rigorous reviews and implementations.

Since its inception on March 31, 2022, PCI DSS v4.0 has been reviewed and gradually rolled out to businesses across the payments ecosystem.

Below is a summary of v4.0’s release cycle to date:

• March 31, 2022: Official Release of PCI DSS v4.0 with validation documents.
• March 31, 2022 to March 31, 2024: Both PCI DSS v4.0 and v3.2.1 are active and can be used for assessments.
• March 31, 2024: PCI DSS v3.2.1 will be retired.
• March 31, 2025: Requirements that were best practices will become mandatory.

Is your business ready for PCI DSS V4.0?

2C2P is now compliant with PCI DSS v4.0 to safeguard payments

With its focus on adaptation and continuous security, PCI DSS v4.0 ensures both payment providers and partners alike bolster payments with the latest and highest level of security. 2C2P has, therefore, achieved full PCI DSS v4.0 compliance to reinforce the security of our payment services.

Get peace of mind and an added layer of protection for your business and customers by leveraging 2C2P’s award-winning secure payment platform. Chat with our friendly team today..