PCI DSS 4.0 is coming: how to prepare for the looming changes to credit card payment rules

For enterprises that handle credit card data, which means just about every consumer-facing company, payment processing is a mission-critical system that requires the highest levels of security.

The volume of transactions conducted with general purpose credit cards (American Express, Discover, Mastercard, Visa, UnionPay in China, and JCB in Japan) totaled $581 billion in 2021, up 24.5% year-over-year, according to the Nilson Report.

However, credit card issuers, merchants, banks, and third-party transaction processors lost $28.58 billion to credit card fraud in 2020, which comes to nearly 7 cents per $100 in purchase volume. And the Nilson Report projects credit card losses will exceed $400 billion over the next 10 years.

In an effort to reduce those losses and keep pace with the rapidly evolving threat landscape, global standards body the Payment Card Industry Data Security Standards Council (PCIDSSC) has issued a major upgrade to its rules governing how credit card data is to be stored, processed and protected.

Full PCI DSS 4.0 compliance required by March 2025

The new regulation – PCI DSS 4.0 – was unveiled in March 2022. The current standard, PCI DSS 3.2.1, will remain in effect until March 2024, when it will be officially retired. There will be a transition period, then organizations will need to be fully compliant with 4.0 by March 2025.

That might seem like a long lead time, but experts say enterprises shouldn’t put off their PCI DSS 4.0 compliance efforts until the last minute. The new regulations represent a significant change. The PCI DSS 4.0 document runs to 360 pages and covers everything from extremely specific items, such as requiring the minimum length of passwords be increased from seven to 12 characters, to general guidance on procedures and policies.

“This is a big deal,” says Marc Rubinnaccio, senior compliance manager at Secureframe, which helps companies automate their compliance efforts. “It is the latest major iteration of the PCI DSS standard and implements significant changes in requirements to focus on maintaining continuous security plus new methods to meet those requirements.”

The new regulations touch on every aspect of security, including firewalls, anti-virus software, network segmentation, multifactor authentication, encryption, access control, active monitoring, intrusion detection, and incident response.

PCI DSS 4.0 compliance is a three-step process

Ian Terry, director of cybersecurity services at AWA International, a consulting firm that performs PCI DSS audits, says that compliance is a three-step process. First, companies need to conduct a comprehensive preassessment to identify gaps in their current systems. Then they need to dig in and perform the required remediation activities aimed at bringing the organization into compliance with the new rules. And finally, they need to bring in a certified auditor or qualified security assessor to conduct a compliance review.

For enterprises, PCI DSS compliance could be a challenge because companies need to juggle these efforts with all of the other technology initiatives that consume IT staff resources, such as cloud migration or digital transformation, Terry says.

What are the biggest changes in PCI DSS 4.0?

Gary Glover, vice-president of assessments at SecurityMetrics, a firm that conducts PCI DSS audits, says there are a total of 53 new regulations in PCI DSS 4.0 that apply to merchants and companies that store or process credit card data, plus another 11 that apply only to transaction processing service providers.

Here are some of the key changes:

Customization: The biggest change on a conceptual level is that PCI DSS 4.0 for the first time allows organizations to take a customized approach to compliance, rather than having to follow the defined requirements of the standard.

For example, the standard talks about passwords, but an enterprise might want to move to an entirely passwordless system that could entail tokens, smart cards, biometrics, encryption keys, or certificates, says Anthony Jones, head of the cybersecurity practice at AWA.

Lauren Holloway, director of data security standards for the PCI DSS Council, emphasizes that the customization option is not aimed at smaller, less tech-savvy companies that might be struggling to meet the standard and need a workaround. It’s quite the opposite – she says the defined approach is “suited for organizations that already have controls in place to meet a requirement and are comfortable with the current methods for validating those controls.”

The customized approach provides greater flexibility and is aimed at organizations that want to use alternate security controls or new technologies. It recognizes that there might be more than one path to achieving a security goal and it enables organizations to innovate, as long as they can demonstrate to an auditor that their approach meets security objectives.

Glover predicts that only the largest and most technologically mature organizations will take the customization route, because it will probably be more expensive, take more time and will be harder to validate. But he points out that the regulations are supposed to be just a baseline and there are companies that will want to deploy advanced or innovative security measures.

Phishing: PCI DSS 4.0 recognizes that many cyberattacks start with phishing, which is both a people issue and a technology one. The regulations require that companies deploy automated email security software aimed at identifying and blocking phishing emails.

PCI DSS 4.0 also shifts security and awareness training from a best practice to a requirement that organizations review and update security awareness programs at least once every 12 months. It also specifies that security training include awareness of threats and vulnerabilities that could impact the security of the card data environment, as well as awareness about the acceptable use of end user technologies.

E-commerce: The increased prevalence of chip technology in credit cards has, to a large extent, prevented scammers from using a skimmer to steal cardholder data from an ATM, for example. So, hackers have shifted their tactics and are now stealing credit card data during the transaction itself by injecting malicious code into the e-commerce platform. In response, PCI DSS 4.0 requires that companies conduct weekly checks to make sure that third-party scripts which are part of the e-commerce transaction are not infected with malicious code.

Technology: PCI DSS 4.0 tightens up security in a number of technology areas such as requiring multi-factor authentication for all access to credit card data. The previous standard only applied to remote access. The new standard requires encryption of stored authentication data. In 3.2.1 that was only a recommendation. It also requires controls that limit access to the smallest number of people required for a specific business process and detection mechanisms that can quickly identify unauthorized alterations to payment processing systems.

Process: The new standard attempts to codify the concept that security is a continuous process, not a one-time activity. It calls for targeted risk analysis, vulnerability assessments and continuous monitoring of payment processing systems. Companies need to have specific processes in place for identifying high-risk vulnerabilities and addressing those issues. It also calls for improvements to incident response and remediation efforts. PCI DSS 4.0 also provides detailed guidance on validation and testing procedures.

Conclusion: Don’t panic, but don’t procrastinate either

In terms of a timetable for compliance, enterprises should start doing research now to see what steps your organization would need to take to be prepared for the implementation of version 4.0, Rubinnaccio says.

Terry recommends that companies start performing pre-assessments in 2023. The PCI DSS timetable provides “a pretty large runway,” but he recommends that companies not wait until the 11th hour.

Glover adds that PCI DSS 4.0 is a major release, but at the same time, companies don’t need to panic. The new regulations represent a step change, but the basic PCI DSS compliance system hasn’t fundamentally changed and the language in the new regulations will be familiar and recognizable to anyone who deals with regulatory compliance.