As a PCI DSS technical professional deployer, you may be aware that the Payment Card Industry Data Security Standard (PCI DSS)
is a set of security standards created to protect sensitive payment card information. It is designed to ensure that all organizations
that accept, process, store, or transmit payment card information maintain a secure environment.
The latest version of PCI DSS is 4.0, which was released in late 2020. PCI DSS 4.0 includes a number of new requirements and
changes from the previous version, PCI DSS 3.2.1.
One of the key differences between PCI DSS 4.0 and 3.2.1 is the new approach to risk management. The new version focuses on
a more proactive and dynamic approach to managing risk rather than just compliance with specific requirements. The new
version also emphasizes the need for ongoing monitoring and assessment of risk rather than just a point-in-time assessment.
Another major change in PCI DSS 4.0 is the introduction of new requirements for secure software development. These
requirements focus on ensuring that all software used in the payment processing ecosystem is developed securely and undergoes
regular testing and maintenance.
PCI DSS 4.0 introduces new authentication and authorization requirements and changes to physical security and encryption
requirements.
As a PCI DSS technical professional deployer, staying current on the latest changes and requirements is important to ensure that
your organization remains compliant and secure. By understanding the differences between PCI DSS 3.2.1 and 4.0, you can work
to implement the necessary changes and updates to your organization’s security practices and procedures.
Below are two tables showing the differences and new requirements between PCI_DSS 3.2.1 and
PCI_DSS 4
| Requirement | PCI DSS 3.2.1 | PCI DSS 4.0 | Explanation |
|---|---|---|---|
| 2.2.3 | Not specified | Organizations must implement a risk assessment process that considers “threat agents” in addition to “threats” and “vulnerabilities.” New Requirement: In addition to SSL and early TLS, TLS 1.0 is now prohibited as a security control because it is no longer considered secure. | This change reflects a more modern and dynamic understanding of the threat landscape. |
| 2.2.4 | Not specified | Organizations must evaluate the effectiveness of their security controls based on their ability to detect and respond to attacks. | This requirement emphasizes the importance of incident response planning and testing. |
| 3.5.1 | Not specified | Organizations must maintain an inventory of all authorized and unauthorized wireless access points. | This requirement acknowledges the risks associated with wireless networks and the need for ongoing monitoring and inventory management. |
| 4 | Organizations were encouraged to implement multi-factor authentication, but it was not required. | Organizations must implement multifactor authentication for all personnel with non-console administrative access to systems handling cardholder data or access to systems that could affect the security of those systems. | This requirement reflects the increasing importance of multifactor authentication as a security control. |
| 6.4.6 | N/A | New Requirement: Any vulnerabilities found in custom code must be addressed within the organization’s vulnerability management process. | |
| 8.3.1 | Not specified | Organizations must review and correlate security alerts and information from security monitoring systems | This requirement emphasizes the importance of active and ongoing monitoring of security incidents. |
| 8.3.2 | N/A | New Requirement: Detection mechanisms must be implemented to detect unauthorized users or processes’ manipulation of security features. | |
| 9.9 | Not specified | Organizations must have an incident response plan that includes procedures for addressing all relevant legal, contractual, and regulatory requirements. New Requirement: Devices capturing payment card data must be protected from tampering and substituting to prevent attackers from installing skimmers or other devices. | This requirement reflects the complex legal and regulatory landscape in which organizations operate. |
| 10.8 | Not specified | Organizations must maintain an inventory of all hardware and software components that are involved in cardholder data processing, transmission, or storage | This requirement emphasizes the importance of inventory management and asset tracking. |
| 10.8.1 | N/A | New Requirement: Detection mechanisms must be implemented to detect credential-stuffing attacks. | |
| 10.8.2 | N/A | New Requirement: Detection mechanisms must be implemented to detect attackers’ manipulation of security features to gain unauthorized access. | |
| 12.4.1 | Not specified | Organizations must implement a process for securely decommissioning all hardware and software that is involved in cardholder data processing, transmission, or storage. Expanded requirement: Personnel must receive security awareness training, and verification must be conducted to ensure they are trained to perform their job functions securely. | This requirement reflects the importance of secure disposal of electronic media and devices. |
| 12.11 | N/A | New requirement: Penetration testing on segmentation controls must be performed every six months and after any changes. | |
| 12.12 | N/A | New requirement: A process must be implemented for securely disposing of media containing cardholder data. | |
| Appendix C: Additional PCI DSS Requirements for Entities using PointofInteraction (POI) | Not applicable | New appendix that provides additional requirements for entities that use POI devices for card-present transactions. | This appendix reflects the changing nature of payment acceptance and the increasing use of POI devices. |
| 6.1.a | N/A | 6.1.2 | Clarifies that all encryption methods must use industry-tested and accepted algorithms, and that encryption keys must be protected at all times |
| 8.3.1 | N/A | 8.3.3 | Adds the requirement for multi-factor authentication for all personnel with non-console administrative access to the cardholder data environment |
| 10.6.1 | N/A | 10.6.2 | Requires that all personnel with access to cardholder data undergo security awareness training at least annually |
| 11.3 | 11.3.4.1-11.3.4.3 | 11.3.5.1-11.3.5.3 | Adds new sub-requirements for detection and response to security incidents, including implementation of a formal incident response plan, annual testing of the plan, and periodic reviews and updates to the plan |
| 12.3 | 12.3.1-12.3.10 | 12.3.1-12.3.11 | Adds a new sub-requirement for establishing a program to manage the security of all service providers, including a requirement to maintain a current list of all service providers, perform due diligence prior to engagement, and monitor the service providers’ PCI DSS compliance status on an ongoing basis |
| N/A | N/A | 12.4.1-12.4.4 | Adds new requirements for securing devices used in the cardholder data environment, including installation of security agents, maintenance of an inventory of authorized devices, and implementation of security policies and procedures for all devices |
| N/A | N/A | 12.8.3 | Adds a new requirement to maintain an inventory of all hardware and software authorized to connect to the cardholder data environment |
| N/A | N/A | 12.10.1-12.10.6 | Adds new requirements for secure coding practices, including training for developers, code reviews for all changes, and implementation of security controls to prevent common coding vulnerabilities |
As a PCI_DSS professional, staying informed about the latest developments and requirements in the payment card industry is
crucial. One important aspect to be aware of is the obsoletion date of PCI DSS 3.2.1, which will retire on 31 March 2024. After
this date, organizations will no longer be able to validate compliance against this version of the standard.
The latest version PCI_DSS 4, was released In March 2022. Both versions will coexist until v3.2.1 is officially retired on March
31, 2024, in favor of v4.0. However, credit card companies and vendors that use credit card transactions have until March 2025
to demonstrate compliance with v4.0. This transition period provides the time necessary for organizations to update their
systems, policies, and procedures to achieve compliance with the updated standard.
As an organizational PCI_DSS responsible, it is important to ensure that your organization is prepared for the transition to PCI
DSS 4.0 and to stay up to date with any further developments or changes in the standard. Doing so can ensure that your organization remains compliant with the latest standards and best practices for protecting sensitive payment card information
and that your customers’ data is kept safe and secure.
