How Are You Doing with PCI DSS v4.0 Compliance?

Find out what the new obligations will be and how to tie them into your enterprise.

Posted on March 15, 2024

On March 31, the payments industry will need to fulfil all new PCI DSS v.4.0 requirements. Find out what the new obligations will be, how to tie them into your enterprise, and how Fortra can help.

fortra-pci-compliance

For many organizations, 2024 will be a big year. Aside from focusing on increasing revenues, market share, and demand, there will also be a big focus on compliance.  

In Fortra’s 2024 State of Cybersecurity Survey, compliance was cited as one of the top 3 initiatives. In that same survey, 91% of respondents feel they know what to do. This is encouraging, and hopefully a sign that frameworks that include clarifying language and more prescriptive guidance are easier to understand and implement.  

This is certainly the case with PCI DSS v4.0, which has been in a transition period since 2022. However, on March 31 the transition period will end, and security teams will need to be fully moved over to version 4.0 by March of 2025. 

 

Themes in PCI DSS v4.0 Compliance  

It’s been two decades since the PCI Security Standards Council (PCI SCC) created the first set of requirements to protect cardholder data. PCI DSS v4.0 represents a significant shift in how organizations maintain compliance.  

Over 200 organizations contributed to the latest version, which includes changes to ensure requirements keep pace with the evolution of the threat landscape, clarifying language to increase understanding of a topic, and reorganizing structure.   

In total, there are 64 new requirements. Within these, four themes have emerged, which are outlined below: 

 

Goal 

Purpose 

Examples of Changes in 4.0 

Continue to meet the security needs of the payment industry 

 

Keep pace with evolving threats to digital transactions 

 

  • More stringent MFA requirements  

  • Updated passwords requirements to 12 characters with numbers and letters  

  • New requirements to address ongoing phishing threats 

 

Promote security as a continuous process 

 

Move from point-in-time compliance to ongoing monitoring and threat management 

  • Assign roles and responsibilities for each requirement  

  • Additional clarity to help people understand implementing and maintaining security controls and processes 

 

Add flexibility for alternative methodologies 

 

Leverage innovative methods to achieve outcomes 

 

  • Targeted risk analysis empowers organizations to establish recurring schedule for certain activities  

  • Introduce a new customized approach to implement and validate requirements 

 

Enhance validation methods and procedures 

 

Discourage criminal actors from fraud attempts 

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment 

  • Questionnaire and information summarized in an Attestation of Compliance 

 

 

A full list of the requirements can be found on PCI Standards Council document library.  

It’s 2024: What Should I Focus on for PCI Compliance?  

In the Fortra survey mentioned earlier, 63% of respondents said they were on track to meet their compliance efforts (which include efforts to reach PCI DSS v4.0). To the 37% that needed help, you should be aware that the majority of the 64 new requirements are only best practices until March 31, 2025.  

In fact, for any assessments after March 31, only 12 requirements are mandated, as outlined below.  

2.1.2 

3.1.2 

4.1.2 

5.1.2 

6.1.2 

7.1.2 

8.1.2 

9.1.2 

10.1.2 

11.1.2 

12.3.2 

12.5.2 

12.9.2 (Service Providers Only) 

 

 

 

 
This may seem like a lot, but ten of these are around documentation and communication of assigned roles and responsibilities.  

Additionally, a PCI DSS Prioritized Approach has been introduced which helps organizations know where to start. It consists of the following six tenants, as generally described below:  

  1. Do not store any unnecessary authentication data 
  2. Protect network and system access points 
  3. Secure payment applications 
  4. Control access to your systems 
  5. Protect all stored cardholder data 
  6. Comply with industry standards and ensure all controls are in place 

The most sweeping changes revolve around authentication and data encryption, especially as the payments industry has moved to the cloud. Now, multi-factor authentication is required for all accounts accessing cardholder data, not just administrators accessing the environment, and expanded encryption is now required on even trusted networks. 

Check out this video for more tips on how to prepare: https://www.fortra.com/resources/video/how-to-prepare-pci-dss-4  

Closing Advice 

The new requirements in PCI DSS v4.0 compliance represent major changes. We would recommend an assessment if you haven’t done one recently to identify the current state of your PCI controls, processes, and documentation. Once you have identified your gaps, you can create a plan to address them.  

Also, understand that you don’t have to do this alone as Fortra has the resources to help. Make Fortra your relentless ally as you leverage our tools, talent, and resources to help you stay PCI DSS 4.0 compliant.  

PCI DSS 4.0 Compliance: Tips to Avoid Last-Minute Panic

Download the guide to brush up on PCI DSS 4.0 changes and compliance requirements. 

Download Now