When can I expect to adopt the standard?
The predicted adoption of the standard is available on the PCI DSS council website and will feature a transition period for all parties to adopt the new standard. Much like the transition to v3.2.1 of the DSS, there will be a grace period to where future dated requirements will become mandatory (as with the retirement of TLS 1.0) followed by a retirement date for PCI DSS v3.2.1 where all merchants and service providers must adhere to the new standard. PCI DSS v3.2.1 will continue to be active until March 31st, 2024.
Outcome Based Testing/Customized Controls:
The landscape of the payment card industry continues to evolve as new products, technology, and processes pave the way for innovation. The council seized this opportunity to allow for controls to become outcome based and customizable as to be applicable to a broad spectrum of security implementation. Outcome-Based Testing and Customized Controls allow requirements not to be as constricting character length or password rotation but that “strong authentication for users and administrators is established and managed.” This may entail any of the authentication methods including passwords (something you know) or smartcards (something you have) or something you are (biometrics). The inclusion of these factors for a single factor of authentication expands on the DSS v3.2.1 as it simply included password credentials as a primary method of authentication. This expansion of requirement criteria is applicable to firewalls, cryptographic storage, or physical security.
Security Testing Above and Beyond
Security testing for PCI DSS 4.0 is getting reconditioned, in that security testing throughout the year will be required to more strict requirements compared to that of PCI DSS 3.2.1. Citing the PCI DSS 3.2.1 standard, there were fewer security controls to monitor systems throughout the year, such as quarterly internal (Requirement 11.2.1) and external vulnerability scans, (Requirement 11.2.2) as well as process examinations for service providers to ensure appropriate procedures were in place and being followed by the system administrators (Requirement 12.11).
New security testing standards will include an evolving requirement for 11.2.1, wherein other applicable vulnerabilities found during an internal scan must be addressed and managed. Internal scanning will also now require credentials for the scanning engine not previously required. Scanning engines with more permissions may produce more results as credentialed scans will have more insight into production systems. New penetration testing requirements for multi-tenant service providers is required for service providers. PCI DSS 4.0 implements a review of cryptographic suites used for transmission of cardholder data (Requirement 12.3.3) not found in the old standard.
Enhanced Multi-Factor Authentication Criteria
Multifactor authentication for administrative access into the cardholder data environment was adopted in v3.2.1 and has been a PCI standard since (Requirement 8.3). However, the implementation of multi-factor authentication for all users is a future-dated requirement in the PCI DSS 4.0 (Requirement 8.4.2). The new standard mandates that all access into the CDE be demarked by multi-factor authentication, causing both users and administrators to perform MFA at their workstations. Note, that as with the old Requirement 8.3, this does not apply for application or system accounts performing automated functions nor for individuals on POS systems who have access to only one credit card number at a time. There is also additional clarification on multi-factor authentication, where if the CDE resides within a corporate network, the demarcation point would be the boundary of the CDE, whereas if the CDE is entirely isolated and remote accessed, MFA would be required upon entering the CDE at that remote connection point.
Additional Firewall and Network Security Guidance
Requirements for firewalls are being updated as well, in that a wider range of network control devices are being considered and denoted. The PCI DSS 3.2.1 references with firewalls and routers have been replaced with a broader range of technologies to the evolving network control device technologies to be implemented. Additional guidance on appropriate inbound and outbound traffic for CDE networks was revised to make requirements easily applicable to different network topographies and ensure change control is appropriately documented and approved.
Storage of Cardholder Data and Encryption
Encryption and storage of cardholder data for PCI DSS 4.0 are more robust, in that many of the requirements have been enhanced or added in an effort to catalog cryptographic systems and processes as well as assign responsibilities for these elements. Sensitive Authentication Data (SAD) will now have storage requirements for pre-authorization (Requirement 3.2.1, 3.2.2) if stored within a CDE, whereas standard 3.2.1 did not address this issue. The new standard also outlines additional guidance on the appropriate deployment of disk or partition-level encryption standards for the protection of stored PAN within the production environment and removable stored media (Requirement 3.5.1.2).
Summary of Changes
There will be many changes to the PCI DSS 3.2.1ng technologies, network topographies, and third-party service provider relations. The new PCI DSS 4.0 standard boasts new requirements to address these areas and evolving requirements which would take the outlined standards one step further toward a more secure infrastructure. For additional information on these changes, review the summary of changes document available on the PCI-DSS council website.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts?
The MegaplanIT team specializes in assisting businesses all around the world to achieve and maintain compliance. Our skilled security consultants and QSAs are fully certified to undertake PCI DSS v4.0 Assessments for your firm and have decades of expertise in assisting organizations like yours in staying secure and compliant. The level of support we offer is unmatched, and the knowledge of our team will help you overcome your goals. Set up a time to talk with us about your top payment security and compliance concerns so we can work together to solve them!
