PCI DSS 4.0 Compliance

Maintaining compliance is a difficult job — both in scope and in practical application. Organizations must navigate an ever-growing landscape of regulations, with standards continually evolving and becoming more stringent. With PCI DSS 4.0 now officially in effect, businesses and financial institutions are required to fully adhere to the updated requirements, marking a significant shift in how payment card data security is managed.

Complying with a new or updated standard is sometimes easier said than done. The reality is that businesses are busy dealing with day-to-day cyber demands, and compliance often gets put off until it becomes a critical need to address. This is particularly the case in enterprises needing more resources, time, people, and a comprehensive strategy required for robust security and compliance. 

Talent gaps and understaffed teams are real concerns across all sectors. As a result, time and people are scarce, and businesses tend to focus on urgent timelines rather than longer-term projects. This approach can often lead to last minute compliance panic.

However, retailers and financial entities can address their daily security operations and requirements while at the same time building their PCI DSS 4.0 compliance. They can do so by adopting a “touch it once” strategy of solving two tasks with one single action, satisfying everyday priorities, and transiting efficiently to PCI DSS 4.0. 

It is about doing things in a way you don’t need to revisit. It’s more of an ethos, a thought process, an idea that every time you create a new business process, you must do it with the mindset of “how does this make us more secure and more compliant with the PCI DSS 4.0 standard?”

This guide is designed to help you grasp the importance of PCI DSS 4.0 compliance and offers a prioritized roadmap to achieve it—empowering your organization to stay secure and resilient against everyday cyber risks and threats.

The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2006 to help businesses that process, store, or transmit payment card data prevent cardholder data theft. While specifically designed to focus on environments with payment card account data, PCI DSS can also protect against threats and secure other elements in the payment ecosystem. 

The adoption of PCI DSS 4.0 included an overlapping retirement date for PCI DSS version 3.2.1 to smooth the transition between versions. This overlap provides organizations time to become familiar with the new version and plan for and implement the changes needed. 

There are four primary reasons for the changes included in version 4.0:

• Ensure the standard meets the requirements for secure digital payments
• Foster security as a continuous dynamic process
• Make validation procedures more robust
• Support any additional methodologies that achieve the same security goals

In addition, the new version introduces the concept of a customized approach. According to the idea, not all security approaches are the same, and there may be many ways to achieve a security objective. Version 4.0 will allow customization of requirements and testing procedures to accommodate this approach.

Many companies have security solutions that meet the security objective of a requirement. The customized approach lets businesses showcase how their particular solution meets the purpose of the security objective and addresses the risk, providing an alternative way to meet the requirement.

The good news is, the 12 core PCI DSS requirements do not fundamentally change with PCI DSS v4.0, as these are the critical foundation for securing payment card data. However, the requirements are now written as outcome-based statements focused on implementing security control. For many requirements, this is achieved by simply changing the language from stating what “must” be implemented to what the resulting security outcome “is.”

By its comprehensive nature, PCI DSS provides a large amount of security information — so much information 
that some people responsible for the security of payment account data may wonder where to start. The PCI Security Standards Council has developed a Prioritized Approach to compliance to help organizations understand how to reduce risk earlier in their PCI DSS compliance journey. 

Per the guide, “The Prioritized Approach maps all PCI DSS requirements into six risk-based security milestones that are intended to help organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance.”

The PCI DSS Prioritized Approach includes six milestones:

1. Do not store unnecessary sensitive authentication data and limit cardholder data retention. Businesses can limit the impact of a breach if sensitive authentication data and other account data are not stored.
2. Protect access points to systems and networks and be prepared to respond to a breach.
3. Secure payment applications. Weaknesses in these apps are a common vector for breaching systems and obtaining unauthorized access to cardholder data.
4. Monitor and control access to your systems. Have clear visibility of who, what, when, and how the cardholder data environment is accessed.
5. Protect stored cardholder data. If storing cardholder data is a business necessity, implement controls to protect this data.
6. Complete remaining compliance efforts, and ensure all controls are in place.

These milestones intend to help organizations incrementally protect against the highest risk factors and threats while on the road the PCI DSS 4.0 compliance. 

Achieving compliance with PCI DSS version 4.0 can be challenging, but it provides a stronger framework for defending against today’s more sophisticated cyber threats. Start by reviewing the PCI DSS 4.0 standard and understanding the key changes that could affect your compliance efforts. From there, begin developing a plan to integrate these updates into your cybersecurity processes, ensuring you're aligned with the new requirements and on the path to full compliance.

The following section will walk you through the 12 core requirements of the PCI DSS 4.0 standard, providing everyday best practices to help you strengthen your organization’s security posture while building and maintaining compliance. For deeper insights and specifics, be sure to consult the official PCI DSS resources.

Requirement 1: Install and maintain network security controls

1. Create a firewall configuration baseline: Before implementing firewall settings, document settings and procedures such as hardware security settings, port or service rules needed for business, justification for these rules, and consider both inbound and outbound traffic.
2. Test all settings: After implementing firewall configuration settings, test the firewall externally and internally to confirm settings are correct.
3. Limit outbound traffic (not just inbound): Often, we worry too much about blocking inbound ports and need to remember to limit outbound traffic from inside the network to just what is required. This limits the attackers’ paths for exfiltrating data.
4. Configure firewalls on personal mobile devices: Set up personal firewalls on mobile computing platforms to limit the attack surface and minimize malware propagation when connected to unsecured networks.
5. Disable external firewall management: Only manage the firewall from within your network. Disable external management services unless they are part of a secure managed firewall infrastructure.

Requirement 2: Apply secure configurations

1. Change default settings to reduce inherent weaknesses: Devices come with factory defaults like usernames and passwords. Defaults make device installation and support more effortless, but they also mean every model originates with the same username and password. When defaults aren’t modified, it provides attackers with an easy pathway into your ecosystem. Changing vendor defaults on every system accessing cardholder data is vital.
2. Harden the Cardholder Data Environment (CDE) according to industry best practices: Any system used in your CDE must be hardened before it goes into production. The goal of solidifying a system is to remove unnecessary functionality and configure those required securely. Every application or device connected to a system introduces vulnerabilities. According to PCI DSS requirement 2.2, you must “address all known security vulnerabilities and [be] consistent with industry-accepted system hardening standards.”
3. Exercise consistency and keep inventory current: Once system hardening is implemented and documented, the settings must be applied to all systems in the environment consistently. Once each system and device in the domain has been appropriately configured, you need to assign the responsibility for keeping the inventory current and up-to-date. This way, applications and systems not approved for use can be identified and removed.

Requirement 3: Protect stored account data

1. Know where your data resides: Use a data discovery tool to identify the location of unencrypted data so you can delete or encrypt it. They also help determine which processes or flows might need to be fixed. Cardholder data can easily be exposed due to poor processes or misconfigurations. Start by looking where you believe the data is, and then investigate all the locations where it shouldn’t be.
2. Encrypt all your stored data: Stored card data must be encrypted using industry-accepted algorithms. Many organizations unknowingly hold unencrypted primary account numbers (PAN). In addition to encrypting card data, businesses must protect the encryption keys. Not safeguarding the encryption key location using a solid management process is like storing your house key in your front door lock.
3. Minimize the data you hold: Don’t keep any data you don’t need. Minimize the scope of PCI DSS and ask yourself if you really need a data record.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

1. Secure data transmitted over open and public networks: Identify where you send cardholder data. You must encrypt your data while on the move over open public networks.
2. Stop using obsolete versions of SSL/TLS: Older versions of SSL and TLS are known to have security vulnerabilities. You must discontinue the use of these deprecated encryption protocols unless the business needs mandates maintaining backward compatibility, such as using POS hardware not supporting later versions of secure TLS.

Requirement 5: Protect systems and networks from malicious software

1. Regularly update antivirus: Vigilant vulnerability management is the most effective way to proactively reduce the window of compromise, considerably narrowing the opportunity for attackers to penetrate your systems and steal valuable data successfully. As part of your vulnerability management strategy, include updated antivirus software.

Requirement 6: Develop and Maintain Secure Systems and Software

1. Regularly update and patch systems: The timely implementation of security updates is critical to your security posture. Patch all critical components in your environment, including browsers, firewalls, applications, databases, POS terminals, and operating systems. Update your software consistently to comply with PCI DSS requirement 6.3.3 which states that organizations must “install critical patches within a month of release.” Remember critical software installations like credit card payment applications and mobile devices. Another way to mitigate vulnerabilities is vulnerability scanning, which provides the best method for discovering known security gaps that cybercriminals can exploit to gain access to and compromise an organization.
2. Establish secure software development processes: If you develop payment applications in-house, you must use strict development processes and secure coding guidelines. Remember to develop and test applications according to industry-accepted standards like OWASP.
3. Install web app firewalls: PCI DSS requirement 6.4 mandates regular monitoring, detection, and prevention of web-based attacks by protecting public-facing web applications with web application firewalls (WAF). These solutions specialize in monitoring and blocking malicious web-based traffic.

Requirement 7: Restrict Access to System Components and Cardholder Data

1. Restrict access to data and systems: You should have a role-based access control (RBAC) system with a defined and up-to-date list of roles, which grants access to cardholder data on a need-to-know basis. Restricting access helps prevent exposing sensitive data to unauthorized individuals.

Requirement 8: Identify Users and Authenticate Access

1. Establish policies for strong and unique passwords and deploy a password manager: If a username or password doesn’t meet the requirements for length, uniqueness, and complexity, it becomes a vulnerability. To address the limits and risks posed by human nature, consider deploying corporate password management software, so password complexity does not undermine the user experience.
2. Robust account management: PCI DSS requires disabling default accounts and having unique user and admin account names. By placing more barriers in an attacker's pathway, a company can be more secure.
3. Implement multi-factor authentication: A single password, no matter how strong it is, cannot be the only security precaution. Multi-factor authentication (MFA) is the most effective solution to secure remote access and is a new requirement under PCI DSS 4.0. Your authentication methods should be out-of-band and independent of each other. There should be a physical separation between authentication factors so that access to one factor does not grant access to another. If one factor is compromised, it does not affect the integrity and confidentiality of any other factor. Additionally, PCI DSS requires that you "incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network."

Requirement 9: Restrict physical access

1. Control physical access to your premises: Mitigate physical security risks by implementing physical security policies that preserve on-premises safety for critical assets and data. For example, you can protect these critical assets in a hardened facility. You could also limit outsider access to one monitored entrance and require non-employees to wear visitor badges.
2. Keep track of POS terminals: Businesses that use POS systems or mobile payment devices must maintain an updated list of all devices, periodically inspect these devices, and provide staff awareness training for individuals who interact with card-present devices daily.

Requirement 10: Log and monitor all access

1. Regularly review system logs and alerting: Systems that keep track of logs monitor network activity, examine system events, warn of questionable activity, and record user actions that take place in your environment. The collection and transmission of logs to a centralized location, an on-site logging server, or an internet service is required. To look for mistakes, irregularities, or suspicious activity that deviates from the usual, businesses should analyze their records daily. A more effective security program and quicker response to security occurrences are both benefits of diligent log monitoring. In addition to demonstrating your commitment to adhere to PCI DSS rules, log analysis, and regular monitoring will also aid in thwarting inbound and outbound threats.

Requirement 11: Test security of systems and networks regularly

1. Recognize your environment and regularly search for vulnerabilities and conduct penetration tests: Attackers may get access to an environment through flaws in browsers, email clients, POS software, operating systems, and server interfaces. Many of the recently discovered flaws and vulnerabilities can be fixed before attackers can take advantage of them by installing security updates and patches for systems in a cardholder or sensitive data environments. To find vulnerabilities and repair them, a vulnerability scanning method is helpful. Code testing and independent penetration testing can reveal many of the flaws frequently found in application code in the case of customized internal applications. Penetration testing and vulnerability scans complement each other to promote the highest level of network security. These scans and tests are the best lines of defense in identifying weaknesses so businesses can correct them before deployment.

Requirement 12: Support information security with policies and programs

1. Document and regularly update all business security practices: All employees should have easy access to written policies. In the event of a breach, documentation might assist in shielding your company from potential liabilities. Security policies and procedures that are fully and precisely recorded make it easier for forensic investigators to see your firm’s security measures and show how proactive and committed your company is to security. Companies should periodically update their security measures and actions documentation for PCI DSS 4.0 compliance.
2. Establish a risk assessment process: PCI mandates that every entity conducts an annual risk assessment that pinpoints key resources, threats, weaknesses, and dangers. Organizations may identify, organize, and manage information security threats using this activity. Giving the identified threats a ranking or score is a component of risk assessment. This will provide you guidance on which vulnerabilities to address first and help set priorities. By methodically classifying, evaluating, and mitigating risks, you can shorten the window of opportunity for an attacker to gain access to your systems, damage them, and eventually shut down the attack.
3. Create and test the incident response plan: You must get ready for a data breach’s repercussions. You are responsible for maintaining control of the event, minimizing customer harm, lowering costs related to a data breach, communicating properly with various authorities as specified by various standards and rules, and safeguarding your company. An effective incident response strategy can lessen the effects of breaches, lower fines, lessen negative publicity, and speed up your return to normal operations.
4. Provide awareness training to all your employees: Most breaches can be linked to human mistake. Even though many employees are not malicious, they frequently forget security best practices or are unsure of exactly how they are expected to perform. Unfortunately, a lot of criminals will use human error to obtain private information. Specific guidelines must be given to employees, as well as ongoing training. They will be reminded of the value of security through a security awareness program that involves frequent training, especially by keeping them informed of new security policies and procedures.

Now that PCI DSS 4.0 is officially in effect, it’s essential to ensure your organization has fully transitioned to the new requirements. If you haven’t completed the shift yet, start now—strategically and steadily. Spreading out the effort will make the transition more manageable and sustainable.

As you move forward, align your compliance efforts with your broader organizational strategy and security program. Focus on long-term improvements that not only meet PCI DSS 4.0 requirements but also strengthen your overall security posture for the future.