Companies that process credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). The payment card industry adopted these standards to protect the security and privacy of cardholder data. The current standard version, PCI DSS 3.2.1, will remain in place until March 31, 2024. After that date, organizations must comply with the updated requirements in PCI DSS 4.0.

The new version of PCI DSS includes substantial changes to the current standards. Businesses need to understand the scope and details of these changes. This will enable them to take the necessary measures to address them and maintain regulatory compliance.

This article examines the major changes incorporated into PCI DSS 4.0 that may impact your business. We will use the PCI Security Standard Council’s (PCI SSC) Summary of Changes from PCI DSS Version 3.2.1 to 4.0 as the foundation of our discussion.

Three Types of Changes in PCI DSS 4.0

Three types of changes are defined in PCI DSS 4.0.

• Evolving requirements are changes necessary to address emerging threats and new technologies that impact the protection of cardholder data. Changes of this nature should be expected with each new iteration of the standards.
• Clarification or guidance is incorporated into PCI DSS 4.0 to enhance understanding of requirements and offer additional information on specific topics. Clearly defining the requirements makes it easier for businesses to take the necessary actions to protect cardholder data.
• The structure or format of requirements may be changed by reorganizing or consolidating information to improve content alignment. These changes are also meant to assist organizations to comply with the regulations.

The Objectives of PCI DSS 4.0

PCI-DSS 4.0 retains the previously defined requirements for protecting payment card information. The new standards were developed to address four objectives. As always, these objectives are designed to protect payment card data. The following objectives were the impetus behind the evolution of the regulatory standards.

Continue to meet the security needs of the payment card industry

The security needs of the payment card industry have to address new types of threats and the technologies used to execute them. The changes in PCI DSS 4.0 that directly focus on evolving threats include:

• Enforcing stricter multi-factor authentication requirements to minimize the problem of compromised credentials;
• Updating password requirements to ensure users adequately protect sensitive payment card data;
• Implementing new requirements regarding e-commerce and phishing to counter ongoing and emerging threats.

Promote security as a continuous process

“Security must be considered a continuous process to counter the sophisticated and determined threat actors intent on compromising payment card data,” says Zachary Jarvinen, Vice President of Exact Payments. Organizations must implement effective measures to ensure their sensitive data is protected. Examples of the focus on more effective security include:

• Having an organization clearly define roles and responsibilities for individuals addressing each PCI DSS requirement;
• Providing additional guidance to help individuals understand how to effectively implement and maintain security in the regulated environment.

Increase the flexibility organizations can exercise in achieving the security objectives of PCI DSS

Additional flexibility in how security requirements are met has been incorporated into PCI DSS 4.0. Rather than strictly define how requirements must be addressed, entities can more flexibly enact policies and procedures that fulfill their underlying objectives. Examples of this increased flexibility include:

• Employing a customized approach to implementing and validating PCI DSS requirements by deploying inventive methods to meet security objectives;
• Allowing group, shared, or generic accounts to be involved with handling and processing payment card data;
• Implementing targeted risk analysis procedures to determine how frequently specific activities should be performed.

Improve validation methods and processes

The final objective of PCI DSS 4.0 is to provide companies with clear validation and reporting options for increased transparency. An example is the alignment between information contained in a Report on Compliance (ROC) and the data provided in an organization’s Attestation of Compliance.

The Major Changes in PCI DSS 4.0

There are over 60 changes in PCI DSS 4.0. Some of these changes merely clarify the language used to define a requirement so it is more easily understood by the personnel responsible for ensuring compliance. Others are technical and may have serious ramifications in the way an organization implements the security required to remain compliant.

Following are some of the most impactful changes contained in PCI DSS 4.0.

Risk assessments - A formalized risk assessment procedure must be carried out by organizations using an accepted framework such as NIST SP 800. Service providers must perform risk assessments every six months and whenever a change is made to the regulated environment. Companies that lack experience in conducting risk assessments should strongly consider engaging a third party to ensure it is performed correctly.

Protecting payment card data - The third PCI DSS requirement concerns the protection of cardholder data. Significant changes have been made to the measures businesses must take to meet this requirement. Some of these changes may be hard for companies using legacy storage systems to address effectively. Specific requirements that have changed include:

• Protecting sensitive authentication data at all times, not only after authorization; Encrypting all stored sensitive authentication data;
• Removing the option of implementing disk-level encryption on non-removable media;
• Strengthening the hashing functionality employed to protect cardholder data by mandating the use of a keyed cryptographic hash method.

Protecting the environment from malware - Changes have been introduced to PCI DSS 4.0 to address the sophisticated methods used by threat actors to compromise the regulated environment or sensitive data resources.

• Companies must now scan all removable media used in the environment with a viable antivirus and malware detection solution.
• Businesses must implement measures to protect email accounts from phishing attacks. Web application firewalls must be used to protect Internet-facing web applications.
• Scripts used on payment pages need to be documented and tracked to minimize the chances of malicious software gaining entry into the environment.

Changes to password and authentication procedures are included in the new standards.

• The minimum password length has been increased to 12 alpha and numeric characters.
• Passwords cannot be hardcoded into files or scripts used for interactive logins.
• Service providers must change passwords every 90 days if the password is the only authentication method used for customer access to the environment.
• Multi-factor authentication (MFA) must be used for all access to the regulated environment.

Security awareness has taken on greater importance in PCI DSS 4.0. Companies need to document and update security awareness programs every 12 months or if new vulnerabilities are detected. Security training programs should be focused on addressing specific threats to the environment such as phishing.

Working With a PCI DSS Compliant Hosting Service

Companies have two basic options when processing customer payment card data. One choice is to implement a regulated environment themselves, either employing an on-premises data center or a mix of cloud services. This approach requires a substantial financial investment and the personnel and technical expertise necessary to maintain the infrastructure.

The second option is for a business to partner with an experienced cloud service provider that offers PCI DSS compliant hosting option. This method provides an infrastructure capable of PCI DSS compliance without requiring a large financial investment. Companies can leverage the experience of their service provider to address gaps in internal expertise or headcount.

Atlantic.Net offers its customers PCI-compliant hosting solutions that eliminate businesses' uncertainty over their compliance standing. The hosting experts at Atlantic.Net understand the security services your business needs to safely and securely process payment card data.

Contact Atlantic.Net today and find out how easy it can be to streamline your company’s PCI compliance with a reliable and experienced web hosting provider.