Updates to Payment Card Industry Data Security Standard (PCI DSS)

person handing over credit card at POS machine

Table of Contents

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the protection of credit and debit cardholder data. PCI DSS is maintained by the PCI Security Standards Council, which is made up of five major payment card brands, namely Visa, MasterCard, American Express, Discover, and JCB International. The latest version of the standard, PCI DSS 4.0, was released in November 2020.

Changes to PCI DSS - PCI DSS 4.0

PCI DSS 4.0 introduces several changes and updates to the existing requirements, with a particular focus on addressing evolving threats to payment card security. Here are some of the key changes that organizations should be aware of: 

Increased focus on risk management

PCI DSS 4.0 places a greater emphasis on risk management, requiring organizations to implement more robust risk assessment processes. In the past anywhere the standard said ‘periodic’ there was no real defined timeframe, now the entity has to do a written ‘targeted risk assessment’ that defines each of these periods with justification for those time periods. 

Enhanced requirements for authentication

PCI DSS 4.0 places a greater emphasis on the use of multi-factor authentication (MFA) to protect against credential theft and phishing attacks. MFA is now required for all personnel with non-console administrative access to the cardholder data environment. In some cases where prior a user could MFA into the environment and not have to use MFA again after that, a second MFA will be required to move into where the Card Holder Data (CHD) actually resides.

Expanded scope

Each entity must now do a documented annual scoping of their card holder environment.

Strengthened Web APP requirement

Payment pages on websites must be behind a WAF and have header mechanisms to alert to any changes to the payment page. Even if the payment page itself is being delivered by a third party.

Enhanced requirements

Manual log reviews are no longer allowed and an automated log review in real time must be performed. Internal Vulnerability Scans must be authenticated. Passwords now must be 12 characters instead of 7 unless MFA is used then they can be 8, also changing every 90 days is only required if MFA is not used, to name a few. 

Greater transparency and flexibility

The new version of the standard includes more detailed and prescriptive guidance on how to meet the requirements, while also allowing for more flexibility in how organizations achieve compliance. This is intended to make compliance more achievable for organizations with limited resources or unique business models. 

In conclusion, PCI DSS 4.0 is a significant update to the existing standard that reflects the evolving threat landscape and changing payment ecosystem. Organizations that handle cardholder data must understand the new requirements and ensure that they follow the updated standard. While the standard becomes mandatory in April of 2024, many of the new requirements are best practice only until March of 2025. Failure to comply with PCI DSS 4.0 can result in significant fines and reputational damage, so it is critical that organizations take the necessary steps to protect cardholder data and maintain compliance with the latest version of the standard. 

PCI DSS 4.0 Compliance Assistance

Navigating PCI compliance can be difficult. That’s why Foresite offers compliance consulting and the cybersecurity tools needed to reach and maintain compliance. Contact us today to learn more about our PCI DSS compliance consulting and 24/7 cybersecurity solutions. 

Thomas Allen
Principal Consultant / Information Security Officer – C|CISO, CRISC, CCSP, ISO 27001 LA, CISA, CISSP, HCISPP, GCCC, GCFA at Foresite Cybersecurity

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.