What’s new in the PCI DSS v4.0?

There were many changes incorporated into the latest version of the Standard. Below are examples of some of those changes. For a comprehensive view, please refer to the Summary of Changes from PCI DSS v3.2.1 to v4.0, found in the PCI SSC Document Library.

Some of the goals of these changes include:

Continue to meet the security needs of the payments industry.

Why it is important: Security practices must evolve as threats change.

Examples:

  • Expanded multi-factor authentication requirements.
  • Updated password requirements.
  • New e-commerce and phishing requirements to address ongoing threats.
Promote security as a continuous process.

Why it is important: Criminals never sleep. Ongoing security is crucial to protect payment data.

Examples:

  • Clearly assigned roles and responsibilities for each requirement.
  • Added guidance to help people better understand how to implement and maintain security.
Increase flexibility for organizations using different methods to achieve security objectives.

Why it is important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.

Examples:

  • Allowance of group, shared, and generic accounts.
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.
Enhance validation methods and procedures.

Why it is important: Clear validation and reporting options support transparency and granularity.

Example:

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

The following guides may be useful to you:

Leave a Reply

Your email address will not be published. Required fields are marked *