PCI Data Security Standard (PCI DSS), a global payment data standard, has been designed to provide baseline technical and operational requirements to protect payment data. PCI DSS v4.0 is the next evolution of the standard and is applicable to all entities that store, process, and/or transmit payment data elements, such as credit/debit/payment cards. With the timelines of one year to prepare for v4.0 and two years to fully ready for v4.0 future dated requirements, it is time to assess readiness for PCI DSS v4.0 and establish a detailed plan to meet the requirements and timelines. PCI DSS 4.0 is already released and can be used as a version for PCI DSS Certification. Although PCI DSS 3.2.1 can be used for assessments until 31st March 2024, there are some requirements that must currently be in place to ensure the organization can be certified to PCI DSS v4.0 from 1st April 2024 onwards.

HOW TO TRANSITION TO PCI DSS V4.0 WITHIN A TIMELINE

The transition period is meant to allow organizations time to get familiar with the changes present in PCI DSS 4.0 while completing necessary updates to policy/procedure templates, planning for organizational changes, and implementing additional controls that will allow them to meet the modernized requirements. The efforts for transition can be divided into two parts: Address controls related to immediately effective requirements: These controls are largely related to documenting roles and responsibilities. Perform targeted risk analysis for each PCI DSS requirement that is met with the customized approach. Document and confirm PCI DSS scope at least once every 12 months. TPSPs support customers` requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. This is an additional requirement that applies only to service providers. Begin implementing the following recommended control measures by March 31, 2025. Storage of sensitive authentication data (SAD) should be kept to a minimum and stored encrypted using strong cryptography until authorization is complete. This also applies to issuers. Technical measures to prevent PAN copying and/or migration when using remote access technologies other than explicit authorization.

Securing a PAN by hashing requires the use of a cryptographic hash of the entire PAN with a key and appropriate key management. Implements disk-level or partition-level encryption if used to make the PAN unreadable. The certificate used to secure the PAN while in transit over an open public network will not be verified as valid, nor expired or revoked. A target risk analysis is performed to determine the frequency of: Periodic evaluation of system components identified as safe against malware. Periodic malware scans. Scanning for malware is performed when using removable electronic media. Mechanisms exist to detect and protect employees from phishing attacks. Maintain an inventory of custom and tailored software to simplify vulnerability and patch management. Deploy automated technology solutions for public web applications that continuously detect and prevent web attacks. Manages all checkout page scripts that load and run in the consumer's browser. Check all user accounts and related permissions correctly. Appropriately assign and manage all application and system accounts and related access rights. The minimum complexity level of a password when used as an authentication factor. Passwords/passwords are the only authentication factor for client user access, passwords/passwords are changed at least once every 90 days, or account security posture is dynamically analyzed to determine access to resources in real time. Multi-factor authentication for all CDE access.

Passwords/passphrases used for interactive login to application and system accounts are protected from misuse. A targeted risk analysis is performed to determine the frequency of periodic inspections of POI devices. Audit log review is automated. A targeted risk analysis is performed to determine how often to view logs for all other system components. Failures in critical safety management systems are immediately detected, prevented and corrected. Internal vulnerability scans are performed using authenticated scans. Multi-tenant service providers support clients in external penetration testing. Stealthy malware channels are detected, alerted and/or prevented and removed using intrusion detection and/or prevention technologies. For the payment page, mechanisms have been deployed to detect tampering and unauthorized access. Target risk analyzes are documented to support each PCI DSS requirement, providing flexibility for the frequency of completion.

The scope of the PCI DSS is documented and revalidated at least every six months and when significant changes occur. Document and analyze the impact of significant organizational changes on PCI DSS coverage. Results are communicated to management. The Safety Awareness Program is reviewed at least every 12 months and updated as needed. Security training includes information on threats that can affect CDE security, including phishing, related attacks, and social engineering. Security training includes familiarization with the acceptable use of end-user technology. A targeted risk analysis is conducted to determine the frequency of periodic training of incident responders. Security incident response plans include alerts from change detection mechanisms and unauthorized access to payment pages. Incident response procedures are in place and triggered when a PAN is detected. Multi-tenant service providers validating access to client environments are logically separated to prevent unauthorized access. Multi-tenant service providers conduct penetration testing to validate the effectiveness of logical separation tools used to isolate client environments at least once every six months. Multi-tenant service providers implement processes or mechanisms for reporting and remediating suspected or confirmed security incidents and vulnerabilities.