Article

PCI DSS version 4.0 is here: What you need to know now

New standard represents a significant shift in how companies maintain compliance

March 14, 2023

Key takeaways

PCI DSS 4.0 introduced 64 new requirements that organizations need to comply with if applicable.

The new PCI DSS mandates take effect in three stages, with compliance required in early 2025.

An outcome-focused approach in version 4.0 is a pivotal shift in PCI compliance methodology.

It is important to assess your compliance efforts and review PCI DSS changes that affect you.

#
Fashion & apparel Retail Financial institutions Regulatory compliance Grocery Consumer goods Cybersecurity consulting Cybersecurity
Financial services Technology industry Beauty Risk consulting

In early 2024, the Payment Card Industry Security Standards Council (PCI SSC) is enacting version 4.0 of the PCI Data Security Standard (DSS), setting a requirement for organizations’ full compliance in early 2025. This new version of the PCI DSS marks a significant change from the current version (3.2.1) in use by entities today. It also introduces a fundamental shift in a key premise of the prescribed standards that will have a permanent and far-reaching impact on how organizations implement, manage and report their PCI DSS compliance.

The PCI SSC released PCI DSS 4.0 on March 31, 2022, and introduced 64 new requirements organizations need to comply with if applicable to their environments. As with any major compliance framework update, organizations should take a proactive approach between the standard’s release and its effective date.

The mandates defined under the new PCI DSS take effect in three stages. The first is for 13 new requirements effective immediately for any PCI DSS 4.0 Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) validation assessment completed since the release of the new standard. The second is after March 31, 2024, when the current version of the standard PCI DSS 3.2.1 retires. All assessments completed on or after April 1, 2024, will need to be under PCI DSS 4.0. Finally, the remaining 51 new requirements are best practices until March 31, 2025, and are required to be in place on April 1, 2025.

While such staging could minimize certain impacts over a two-year period, this prioritization doesn’t necessarily correspond to the complexity implicit in each—meaning some of the more challenging new requirements are slated for the earlier date. Now is the time to become familiar with the anticipated changes to better prepare your organization for a smooth transition to version 4.0.

Purpose of the changes

Version 4.0 of the standard incorporates wide-ranging feedback from stakeholders on industry trends, evolving threat landscapes and changes to payment processes at many organizations. The PCI Council summarized its goals for version 4.0 as follows:

  • Ensure the standard continues to meet the security needs of the payment card industry
  • Add flexibility and support additional methodologies to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures

The continued evolution of existing payment technologies and the resulting shift in the underlying security landscape have been the major drivers in the update of the standard. Some of the more common catalysts for the change include emerging technology deployment and storage solutions such as cloud services, software as a service (SaaS) and co-located data centers.

Significant changes

Flexibility is, in fact, the key theme with the changes to the standard. Based on guidance the PCI Council has released so far, version 4.0 supports a more pronounced business-as-usual approach to the 12 core requirements by adding flexibility in how organizations determine, document and meet the requirements. The PCI Council has added customized approach objective statements to each requirement.

The objective statement is meant to clarify the purpose of each requirement, and organizations can now meet the intent of the controls in the standard without having to adhere solely and unilaterally to the prescribed controls defined in the previous and existing version of the DSS (3.2.1). This outcome-focused approach in version 4.0 is a pivotal shift in PCI compliance methodology that gives organizations greater freedom and responsibility to demonstrate how they meet PCI DSS requirements.

With this increased flexibility comes a new means of implementing—and assessing against—the standard. Organizations can retain the option of their existing defined implementation: following current requirements and testing procedures. However, risk-mature organizations can leverage the outcome-focused, customized approach. For example, what if an organization has a documented, risk-based reason for not implementing a password standard as prescribed, the organization can still be compliant by demonstrating it is meeting the customized approach objective of the requirement.

Merchants and services providers that implement customized controls to meet the objective of a requirement will be required to complete a targeted risk analysis for each control and document and retain evidence supporting the maintenance, testing and effectiveness of these controls. The PCI-qualified security assessor will then review the customized control documentation and develop test procedures to validate the control design and its effectiveness. This collaborative validation of a customized approach is a new and exciting aspect of 4.0.

Finally, though the 12 core PCI requirements will remain the same, the intent and content of some sub-requirements have changed to reflect security best practices, keep pace with evolving threat landscapes and reflect changes in technology.

Next steps

While the release of PCI DSS 4.0 was delayed multiple times, now that it is released, the standard’s effective date is approaching quickly. It is important to regularly assess your compliance efforts and review the changes to the PCI DSS that affect your organization.

Version 4.0 now requires all organizations to annually review, confirm and document the scope of their environment subject to the PCI DSS. Documenting business and technical processes, data flows, network diagrams and system component inventories is the foundation for compliance activities. Lack of insight in this area has long been a hindrance to compliance for many organizations, as it is impossible to protect the cardholder data environment or justify appropriate intent and an outcome-based control set if you are unsure of its boundaries.

Now is the time to conduct readiness assessments to help you identify the processes, technical controls, documentation and other security measures that will need to be adjusted to comply with version 4.0. That leaves the remainder of this year as the ideal time to conduct working sessions on your organization’s PCI compliance philosophy and identify and document gaps.

Version 4.0 represents a significant shift in the way organizations can demonstrate PCI DSS compliance. Engaging RSM as your trusted advisor throughout this process can ease the transition and help your organization navigate these changes successfully while maximizing the value of your security compliance efforts in this and other areas.

RSM contributors

  • Joe Benfatti
    Partner
  • Sebouh Karakashian
    Sebouh Karakashian
    Director

Related insights

Recorded webcast

PCI DSS version 4.0:
What is the change really about and what do you need to do?

Join us for a webcast to review the updated PCI DSS 4.0 standard and what steps you need to take now to make sure your organization knows what steps are needed for compliance.