832b8d8d4b23361787aec0698264e985
Other Pci Dss Pci Dss 4.0 Pci Dss 4.0.1

Understanding PCI DSS 4.0 and Version 4.0.1: Key Points to Note

The Payment Card Industry Data Security Standards (PCI DSS) is a set of security fundamentals that helps organizations handling payment card information avoid falling prey to cybersecurity incidents and data breaches. It also ensures they pay the consequences when they do. In 2022, the Payment Card Industry Security Standards Council (PCI SSC) published PCI DSS version 4.0’s first set of revised and new requirements.

Many of these standards requirements became effective on March 31, 2024 (with additional “best practices” that will be mandatory by March 31, 2025). However, in June 2024, they published PCI DSS version 4.0.1, which revises specific requirements to provide clarification and guidance but provides “no additional or deleted requirements” to PCI DSS version 4.0. So, don’t panic.

Now, it’s time to start preparing for the next PCI DSS 4.0 requirements that’ll kick into effect next year and ensure you’re also taking into account the clarifying revisions published in version 4.0.1.  

Get our free 15-point checklist and

Avoid the same costly pitfalls.

Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…

PCI DSS 4 introduced several fundamental changes to tackle emerging threats and security issues brought about by new technological advancements since the 2018 release of the previous version, PCI DSS 3.2.1.

PCI DSS version 4.0 includes in total 64 new requirements. With the first phase of 13 new requirements done and dusted, the next stage includes rolling out the remaining 51 new PCI DSS 4.0 requirements. Currently considered “best practices,” they’ll come into force no later than March 31, 2025. (NOTE: Not all requirements may apply to you, as some are specific to service providers.)

We get it, that’s a lot to digest. To help you, we’ve prepared an overview of these second-phase requirements and a few tips. It’ll enable you to better understand the new rules and how best to address them.

Check the summary table and/or go into the nitty-gritty sections below. (NOTE: We skipped listing the new requirements under Principal Requirements #1 and #2 since they went into effect when PCI DSS 4.0 rolled out).

According to BlackFog’s latest report, 92% of ransomware attacks analyzed in the first four months of 2024 were used to extract data. This PCI DSS version 4 section includes new requirements related to the protection of sensitive data at rest (i.e., saved in a digital form). They all align perfectly with BlackFog’s findings.

Specifically, these changes mandate enterprises to protect sensitive authentication data (SAD) and primary account numbers (PANs) through encryption and cryptographic hashes.

To achieve compliance, you may want to:

Is your website part of 96% of internet Google traffic protected by a secure socket layer/transport layer security (SSL/TLS) certificate? We bet it is. Unfortunately, that isn’t enough to prevent the bad guys from snooping/stealing sensitive data transmitted over the network.   

Protect your organization and customers from man-in-the-middle attacks (MITM).

In 2023, the total malware volume identified by SonicWall increased globally by 11%. Zscaler discovered 745 million more attacks than in 2022. The new clauses included in this group focus on malware prevention through periodical components evaluation, regular malware scanning, and phishing protection.

2.8 million personal data of Sav-Rx clients, a pharmacy benefit management company, were stolen in October 2023. A lack of advanced threat detection and monitoring procedures was among the identified vulnerabilities. This confirms the need to focus on threat prevention through automation. Precisely what this section’s updates are about. Here are our suggestions to help you reach compliance:

In February 2024, about 1,300 American Express cardholders’ data were exposed due to unauthorized access to a third-party service provider’s system. Boost the security of your components and cardholder data to comply with these changes before the bell rings in March 2025.

Over 75% of U.S. users surveyed by Forbes Advisor in 2024 admitted having their personally identifiable information (PII) stolen through hacked accounts. Yup. This section is all about securing accesses and passwords with different methods.

Did you know that point of sale (POS) terminals and points of interaction (POI) are subject to vulnerabilities as well and can be disabled via ransomware attacks, too? No one and nothing is safe in the digital world. To protect your POI:

We get it: effective log management and analysis is never easy. It gets even more complicated if your organization logs an average of 9.5 billion events a day, as Klaviyo does. However, logs are a vital component for security incident detection/response and PCI DSS 4.0 compliance.

Once again, OWASP comes to the rescue with some log implementation best practices. On top of it:   

In Q1 2024, Kaspersky reports that MITRE’s CVE Program registered 3,965 vulnerabilities. That’s an average of 1,321 vulnerabilities per month in those first three months!

Periodically testing systems and network security is the core of this section. It’ll guarantee that vulnerabilities and security issues are identified and addressed promptly and minimize the risk of leaks and fraudulent activities.

This last section highlights the importance of organizational policies and programs for effective card data protection. However, when employees are blissfully unaware of such procedures and standards, all sorts of security issues are right around the corner. Verizon’s latest report proved it: 68% of data breaches in 2023 involved human error (i.e., non-malicious human actions).  

This is it. A neat overview of PCI DSS 4.0’s changes coming into effect by Q2 2025. Don’t stop reading. There’s more to know before kicking off your compliance activities.

All companies handling payment data or accepting credit, debit, or digital card payments must be PCI DSS 4.0 compliant. However, not all businesses are created equal. For instance, service providers have 10 supplementary requirements to satisfy by March 31, 2025 before reaching compliance. (There are 11 service provider-related new requirements total in PCI DSS version 4.0, but one was effective immediately.)

This means that mom-and-pop shops won’t have to meet the same standards required of big corporations and enterprises.

To this effect, the PCI Security Standards Council created four different compliance levels based on credit card transaction volume. Each level requires the implementation of a specific set of security control rules.

Before plunging into the PCI DSS 4.0 list, check out our merchant compliance comprehensive guide and do a first PCI self-assessment. You’ll immediately find out which level your organization fits into and its requirements.

Every time a customer makes a payment online, their credit/debit card or banking information is at risk of falling into the wrong hands. Phishing is another dangerous threat plaguing businesses accepting payments online. In 2023, Zscaler identified 745 million more attacks than in 2022, marking a 58% increase year over year.

And before you say it, nope, this likely isn’t only due to some scanning tool improvements. Other software security providers noticed the same trend. Bolster, for example, recorded a 94% growth in phishing attacks since 2020.

So, an SSL/TLS certificate issued by a trusted certificate authority (CA) will:

Last but not least, trusted code signing certificates will also, even if indirectly, help you reach PCI DSS 4.0 compliance. Add another layer of security against attacks by installing only signed plug-ins and components, and by signing SBOMs for software you create. And if you develop your own software or plug-ins, even just for internal use, code signing with a publicly trusted digital certificate is something you can’t do without. It can help you meet PCI SSC’s Software Standards’ security requirements.

Preparing for PCI DSS version 4.0’s March 2025 deadline will take organizations time and work. However, understanding the changes is the first step to reaching compliance. The good news is that the things we’ve listed here today are things that every security-conscious organization should already be doing.

Put to good use what you’ve just learned. Start addressing the latest PCI DSS 4 requirements today by following the tips included in this article.

It’ll protect your organization and customers’ sensitive data, make your reputation shine, increase customers’ trust, and, in case of a data breach, it’ll help you minimize losses and avoid fines.

Manage Certificates Like a Pro

15 Certificate Lifecycle Management Best Practices to keep your organization running, secure, and fully compliant.

Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…

Info missing – Please tell us where to send your free PDF!

Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…

Innovative solutions for a better tomorrow.


Discover more from ParJenn Technologies

Subscribe to get the latest posts sent to your email.

HTML Snippets Powered By : XYZScripts.com