New Year’s Resolution: Get PCI DSS 4.0 Compliant Now!

The Payment Card Industry (PCI) Security Standards Council (SSC) officially released version 4.0 at the Data Security Standard (DSS) in March of last year. While PCI DSS 3.2.1 remains active for two more years, the clock is quickly winding down toward the deadline for full compliance by March 2025. So, my recommended New Year’s resolution is for organizations to begin planning and implementing a Zero Trust Architecture now rather than waiting until two years from now.

And just like your resolution to lose 30 pounds this year, this effort will be no small feat.

The previous version of PCI DSS was more than 10 years old and needed a lot of modernizing – especially in light of the shift toward remote work, cloud computing, Software-as-a-Service (Saas), and other trends of late. As a refresher, the following are the “dirty dozen,” the 12 requirements of PCI DSS version 3.2.1:

1. Protect your system with firewalls
2. Configure passwords and settings
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update antivirus software
6. Regularly update and patch systems
7. Restrict access to cardholder data to business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to workplace and cardholder data
10. Implement logging and log management
11. Conduct vulnerability scans and penetration tests
12. Develop security documentation and perform risk assessments

While this was a decent set of controls, it was sort of a “one size fits all” approach and provided for no customization and tailoring. Furthermore, it failed to address some of the key areas we discussed above with a lack of traditional IT components and most people working outside the protected network perimeter. So, the PCI DSS 4.0 beefs up overall security – primarily by adding a number of new encryption and authentication requirements for Primary Account Number (PAN) storage and access. CISOs will need to identify the technical, administrative, or organizational intent of each requirement and plan accordingly in terms of budget and resources.

While PCI DSS 4.0 requires stronger security controls, the good news is that there is some flexibility in how these controls are proven. The new standard enhances validation methods and procedures to allow for custom implementations or compensating controls, rather than just checking that something is “by the book.”

Also, our minister used to say that you can’t come to church for one hour on a Sunday morning but live like hell the rest of the week. The new PCI DSS recognizes this as well, focusing more on having a continuous process of security than cramming for a one-time audit by a PCI Qualified Security Assessor Company (QSAC).

Let’s take a look at some of the new requirements in PCI DSS 4.0:

1. Web applications. Per section 6.3.2, organizations will need to maintain an inventory of custom-developed software (e.g., Web applications) and per 6.4.2 deploy automated means to detect and prevent Web-based attacks (e.g., a Web application firewall or WAF).

2. Implement MFA and account management. Requirement 7 now closely aligns with the U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63B Digital Identity Guidelines in requiring stronger authentication standards to payment and control process access logins. PCI has also partnered with Europay, Mastercard, and Visa to implement the use of a 3DS Core Security Standard during transaction authorization. PCI 3DS is a “modern messaging protocol that enables consumer authentication with their card issuer when making online purchases. This additional layer of security helps prevent online fraud, making online shopping safer for merchants and consumers.”

In particular, PCI DSS 4.0 requires the following:

• Defining roles and responsibilities in the system.
• Applying MFA for all accounts with access to sensitive cardholder data. Previously. This had applied only to admin accounts.
• Auditing access privileges annually.
• Changing passwords for accounts used by payment applications every 90 days or as part of security incident response.
• Enforcing passwords minimum length of 12 characters with alphanumeric complexity.
• Restricting reuse of passwords across multiple accounts and checking them versus blacklists.
• Restricting vendor or maintenance accounts and carefully monitoring them for security risks.
• Restricting the use of hard-coded plaintext passwords into software and/or scripts.

3. Require data governance and enhanced data encryption. Due to the amount of malware and malicious activity to discover and exploit plaintext PANs, PCI DSS 4.0 has a number of new requirements for encrypting cardholder data to help protect it from theft.

In addition, organizations must discover the sources and locations of cleartext PANs at least once a year or whenever there are significant changes to cardholder data environments or processes.

4. Require continuous automated audit log review. PCI DSS 4.0 Requirement 10 is very clear in requiring automated collection and review of security audit logs along with the ability to “detect, alert, and … respond to failures of critical security control systems.” Requirement 11 also mentions the mandate for use of an intrusion detection system (IDS) to “detect, alert on/prevent, and address covert malware communication channels.” In our parlance, this is Cyber Lorica – i.e., a Security Information and Event Management (SIEM) system along with 24/7/365 continuous monitoring to allow for incident detection and response in near real-time.

Without the SIEM and continuous monitoring from an expert SOC team, I do not see any other method for organizations to be compliant with these requirements.

5. Require vulnerability management. While there was previously a requirement to patch and update systems, this new requirement mandates running internal vulnerability scans and immediately addressing any critical or high-level vulnerabilities (11.3).

6. Require security awareness training. 12.6 now requires that employees receive annual awareness training about the acceptable use of end-user technologies in accordance with the organization’s overall risk policy.

Abacode can design and implement a complete program to help you be compliant with PCI DSS 4.0 well ahead of the March 2025 deadline. We have to capability to craft a holistic, tailored, and cost-effective program for your organization that addresses data governance (discovering and protecting cardholder data), applying identity and access management with MFA, implementing world-class continuous monitoring and security operations, along with addressing all the other significant challenges of a Zero Trust Architecture. Please contact us today.