Written by Kiran Murthy & Eishu Richhariya
Introduction
PCI-DSS stands for Payment Card Industry Data Security Standard. This standard first came into the picture in 2004, and it was formed by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. It is governed by PCI SSC, i.e., Payment Card Industry Security Standards Council.
Applicability– PCI-DSS applies to companies/organization which accepts, store, process and/or transmits cardholder data.
When will the new version PCIDSS v4.0 take effect?
Until March 31, 2024, PCI assessments will choose the version (v3.2.1 or v4.0) for conducting the assessment. After this date, v3.2.1 will be retired, and v4.0 will become the singular standard.
PCI-DSS v4.0 New Requirements
The new version contains a substantial number of new requirements—64 in total.
- When using v4.0, only 13 out of 64 are mandatory.
- Until March 2025 additional 51 remain “best practices”; after the retirement of v3.2.1, it will be mandatory to complete a PCI DSS assessment.
Changes in the Security Objective of PCI-DSS v4.0?
| PCI-DSS v3.2.1 | PCI-DSS v4.0 |
|---|---|
| Build and Maintain Secure Network and Systems | Build and Maintain Secure Network and Systems |
| Protect Card Holder Data | Protect Account Data |
| Maintain a Vulnerability Management Program | Maintain a Vulnerability Management Program |
| Implement Strong Access Control Measures | Implement Strong Access Control Measures |
| Regularly Monitor and Test Networks | Regularly Monitor and Test Networks |
| Maintain an Information Security Policy | Maintain an Information Security Policy |
Change in the Names of 12 PCI-DSS v4.0 Requirements
| PCI-DSS v3.2.1 | PCI-DSS v4.0 |
|---|---|
| Install and maintain a firewall configuration to protect cardholder data | Install and maintain Network Security Control |
| Do not use vendor-supplied defaults for system passwords and other security parameters | Apply secure configuration to all system components |
| Protect stored cardholder data | Protect stored account data |
| Encrypt transmission of cardholder data across open, public networks | Protect cardholder data with strong cryptography during transmission over open public networks |
| Use and regularly update anti-virus software or programs | Protect all systems and network from malicious software |
| Develop and maintain secure systems and applications | Develop and maintain secure systems and software |
| Restrict access to cardholder data by business need to know | Restrict access to system components and cardholder data by business need to know |
| Assign a unique ID to each person with computer access | Identify users and authenticate access to system component |
| Restrict physical access to cardholder data | Restrict physical access to cardholder data |
| Track and monitor all access to network resources and cardholder data | Log and monitor all access to system component and cardholder data |
| Regularly test security systems and processes | Test security systems and networks regularly |
| Maintain a policy that addresses information security for all personnel | Support information security with organizational policies and programs |
Type of Changes
| Change Type | Description |
|---|---|
| Evolving Requirements | This change is to make sure that the standard is up to date with emerging threats, technologies, and changes in the Payment industry. |
| Clarification or Guidance | Updated wording, explanation, definition, and guidance to increase understanding. |
| Structure or Format | Reorganization of content. |
Two Approaches
New flexibility has been provided for organizations to satisfy the PCI DSS security objectives. The two distinct techniques for PCI DSS evaluations that will be permitted under version 4.0 demonstrate this flexibility:
- Defined Approach- The organization is expected to comply with the stated requirements, and assessors will conduct testing procedures as mentioned within the standard.To fill gaps, compensating controls are implemented. This has been consistent since the release of PCI-DSS v3.0.
- Customized Approach- There is no written testing procedure to be followed by assessors, and the testing procedure will be developed by the assessor to validate the solution the entity has implemented. This approach is focused on “risk mature entities”.
Recipients can either scan the code on a phone or tablet to access the form