PCI DSS 4.0: What You Need to Know
The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards that protect payment card data from major card brands (Visa, MasterCard, Discover Financial Services, JCB, and American Express). As technology goes through constant evolutions and cyber threats become more sophisticated, organizations must stay up-to-date with the latest version of the PCI DSS. PCI DSS 4.0 is the newest standard version, developed by the Payment Card Industry Security Standards Council (PCI SSC). It builds upon previous versions and incorporates feedback and insights from industry stakeholders, security experts, and regulatory agencies.
Who Needs to Comply with PCI DSS 4.0
As cloud environments scale with the expansion of e-commerce, so does the footprint of sensitive data—especially sensitive cardholder, account, or authentication data. If your organization accepts credit, debit, or digital card payments, it’s essential to prepare for PCI DSS 4.0 immediately.
Let’s explore the new makeover and learn everything you need to know about PCI v4.0, the latest iteration of the PCI DSS.
Key Compliance Dates
The major PCI Data Security Standard update is the first since 2018 (version 3.2.1). The new security standard promotes a more secure environment for card-based payments while addressing emerging threats and enabling unique approaches to combat new threats.
The deadline for compliance with the first phase of PCI DSS 4.0 is March 31, 2024. This phase includes 13 new requirements involving planning, assessments, and responsibility designation. The second phase, consisting of 51 deeply technical requirements, must be implemented by March 2025.
Immediate Implementation Changes
PCI DSS 4.0 introduces fundamental changes and updates to strengthen security measures and address emerging threats. Phase 1’s 13 requirements focus on building an accountability framework around operational policies.
Setting Accountability
Currently, 10 of the 13 requirements (2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, and 11.1.2) concern identifying and assigning roles and responsibilities in security and IT teams responsible for PCI compliance and security incident remediation. These requirements are effective immediately for all version 4.0 assessments and must be met by the March 31, 2024 deadline.
By formalizing these policies, organizations will have documentation on those responsible for addressing specific aspects of their PCI compliance. This will help create a culture of best security practices for full implementation in March 2025.
Requirement 12.3.2: Customized Approaches
Version 4.0 introduces the much-requested option of a “customized approach,” which allows organizations to leverage alternative methods to fulfill PCI DSS requirements and meet the desired results.
This is particularly important for organizations that must comply with other regulatory frameworks, such as GDPR or HIPAA, whose requirements tend to overlap. However, requirement 12.3.2 ensures that each customized approach is analyzed and well-documented to determine the effectiveness of implementing specific controls.
Requirement 12.5.2: PCI DSS Scope
Requirement 12.5.2 mandates that organizations define their CDEs and PCI DSS scope, which must be documented and confirmed at least once every 12 months. This includes the CDEs, the processes, stakeholders, and technology that store, process, or transmit cardholder or sensitive authentication data.
Requirement 12.9.2: Notice for Service Providers
Another requirement, 12.9.2, only applies to third-party service providers (TPSPs). This requirement differentiates the roles and responsibilities regarding how the TPSP manages the client’s CDE. The TPSP must also provide the status of their PCI DSS compliance and details about PCI DSS requirements upon request by the client.
Best Practices for PCI DSS 4.0
There are 50+ new requirements in PCI DSS v4.0 – it’s important to understand which requirements apply to your business and what is needed to meet compliance. For the complete list of requirements, including what is currently in effect and those that will be in effect on March 31, 2025, it is highly recommended to review the summary of changes.
The PCI council placed on emphasis on several new standards, which include documenting responsibility requirements, securing e-commerce firewalls, protecting payment pages, rotating password, targeting PCI risk requirements, scanning for vulnerabilities, using multi-factor authentication, automating alerts from security information and event management (SIEM), data governance and incidence response.
How BigID Addresses PCI DSS 4.0 to Safeguard Card Payment Data
PCI DSS 4.0 represents a significant milestone in the continued effort to secure payment card data and combat cyber threats. By understanding the fundamental changes and updates introduced in PCI DSS 4.0, organizations can strengthen their security defenses and ensure compliance with the latest industry standards.
BigID can help you achieve compliance with PCI DSS 4.0 requirements. Compliance with PCI DSS starts with establishing a solid foundation of data discovery and classification of account data consisting of the cardholder and sensitive authentication data. Additionally, BigID supports most data source types listed within the PCI DSS framework.
With BigID, organizations can:
- Discover and classify all types of sensitive and account data accurately and at scale.
- Automatically identify and gain granular context about sensitive data.
- Customize classifiers to accurately identify payment-related data unique to your organization.
- Connect to 300+ data source types across the cloud and on-prem – structured, unstructured, or semi-structured.
- Set policies around specific account data types that require encryption, masking, retention, minimization, and more.
- Gain insights about data access issues around high-risk, sensitive, or critical payment-related data across your environments.
- Identify, flag, assess, and prioritize file access risk to sensitive payment-related data.
- Map cardholder identities to their personal and sensitive data and maintain a central view of breach exposure and incident response.
- Mitigate risk with remediation workflows, fully delegating to data owners to reduce the attack surface and protect cardholder data.
Start meeting PCI DSS compliance and mitigate data risk today. Get a 1:1 demo with our security experts to see BigID in action.