PCI DSS 4.0 What You Need To Know

New PCI DSS Requirements

PCI DSS Version 4.0 has new requirements, but each one will not necessarily be “future-dated.” Based on Drummond’s industry knowledge and updated released by the PCI SSC, the following list is a sneak peek of upcoming requirements in PCI DSS Version 4.0 requirements:

• A minimum length of 12 characters will apply to passwords or passphrases – this includes whether multi-factor authentication (MFA) has been implemented or not
• MFA will be required for all access into the cardholder data environment (CDE) to enhance or add control of MFA systems
• New controls for Phishing and malware mitigation
• Phishing must be included in security awareness training
• Managing payment page scripts will have new controls that are loaded and executed in a consumer’s browser
•  Added requirement for a mechanism to detect any unauthorized changes on payment pages· Controls will be added within storage retention of Sensitive Authentication Data (SAD) prior to authorization
• All SAD will be required to be encrypted with strong cryptography for those storing before authorization and for issuers retaining SAD for issuing purposes
• New requirement will be included for copying in remote access except by authorized persons
• For hashing the 16-digit primary account number (PAN), new requirements state it must include the entire PAN and strong cryptographic procedures
• Reviews and confirmations of user accounts and privileges will now be required to be done every six months
• Application system accounts are required to be based on minimum privilege needed and only limited to processes in use
• Cloud applicability now added to Appendix A
• Risk Analysis must be completed for any requirement where an entity uses the customized approach. Any targeted risk analysis will be required to determine how often certain things must occur and for customized approach
• Two approaches for complying with PCI DSS v4.0:
  • Defined Approach – Follows the traditional method for implementing and validating PCI DSS and uses the requirements and testing procedures defined within the standard
  • Customized Approach – Focuses on the objective of each PCI DSS requirement and allows entities to determine the controls used to meet the stated objective:
    • No defined testing procedures for customized approach
    • Entity and/or assessor must design testing procedure that ensures customized approach meets the controls’ objectives
• Compensating controls will still exist for PCI DSS v4.0. The difference between a compensating control and customized approach is:
  • Compensating controls are those that cannot meet the requirement due to technical and business constraint
  • Customized approach is designed for companies meeting the objective in an alternate and novel way
• Self-Assessment Questionnaires (SAQs) will be updated to reflect PCI DSS v4.0 and give time for the industry to become familiar with PCI DSS v4.0 before replacing SAQs with merchant assessment forms. Self-assessing service providers will continue to use only SAQ-D.