Prepare for PCI DSS v4.0 | Info-Tech Research Group

Complying with new PCI DSS requirements will require significant resources.
It is unclear how the new PCI DSS requirements will impact your IT environment and business procedures.
Not meeting compliance obligations will jeopardize trusted relationships.

Our Advice

Critical Insight

Your PCI compliance program needs to evolve to meet constantly evolving or new requirements.
It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.

Impact and Result

This approach is a straightforward guide to transitioning from PCI DSS v3.2.1 to v4.0, and is built on the following phases:
- Defining and documenting the scope
- Performing a gap analysis
- Prioritizing and completing tasks and initiatives
- Confirming gaps have been closed

Prepare for PCI DSS v4.0 Research & Tools

1. Prepare for PCI DSS v4.0

This storyboard describes the necessary steps to transition from PCI DSS v3.2.1 to v4.0, allowing the member to develop their own navigable road map for driving the transition.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.0/10

Overall Impact

$6,000

Average $ Saved

3

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

St. Francis Xavier University

Guided Implementation

10/10

$10,000

5

CPA Alberta

Guided Implementation

8/10

$2,000

1

Bob was able to reassure me that we were on the right path for our PCI DSS journey. He promptly sent along some additional information which we wil... Read More

Prepare for PCI DSS v4.0

Start early with a collaborative effort for a successful transition to the new version of the PCI DSS.

Analyst Perspective

“…organization will set you free.”

Alton Brown

The image contains a picture of Bob Wilson.

As the threat landscape shifts and risks to organizations evolve, so too must security standards to effectively address current and relevant risks.

To that end, the Payment Card Industry Security Standards Council has released version 4.0 of the Data Security Standards, the first major release since 2013. Changes are significant and may be onerous, even to those entities that are compliant with the PCI DSS version 3.2.1. One of the goals of the new version of the PCI DSS is to “promote security as a continuous process” and even though the effort to comply with updated and new requirements may be high, doing so will improve the information security posture of a compliant organization.

There may be a lot of work to do but given the generous three-year timeline between the publishing of the new standard and the date all new and updated controls become effective, there is time to tackle the effort in manageable chunks.

Bob Wilson, CISSP
Research Advisor, Security and Privacy

Info-Tech Research Group

Executive Summary

Your Challenge	Common Obstacles	Info-Tech’s Approach
Complying with new the PCI obligations will require significant resources; you must create a cost-effective plan to minimize business and IT operational impact. It is unclear how the complexity of new PCI DSS requirements will impact your IT environment and business procedures. Not meeting compliance obligations will jeopardize already trusted relationships with customers and business partners.	PCI DSS compliance goes beyond IT and requires participation from all business divisions. Compliance may require drastic changes to existing business processes. The full scope of the cardholder data environment may not be readily apparent.	Info-Tech’s approach to facilitate a transition from the previous version of the PCI DSS to the newest version will borrow from previous research. This approach will assume the entity is already compliant with PCI DSS v3.2.1, as a starting point, and will proceed by: Initiating the transition effort. Defining and documenting the scope. Performing a gap analysis. Prioritizing and completing tasks and initiatives. Confirming gaps have been closed.

Info-Tech Insight

Your PCI compliance program must evolve to meet constantly evolving or new requirements.

It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.

PCI DSS Overview

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard.

Build and Maintain a Secure Network and Systems	1. Install and maintain network security controls 2. Apply secure configurations to all components
Protect Account Data	3. Protect stored account data 4. Protect cardholder data with strong cryptography
Maintain a Vulnerability Management Program	5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software
Implement Strong Access Control Measures	7. Restrict access by business need to know 8. Identify users and authenticate access to components 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Log and monitor all access 11. Test security systems and networks regularly
Maintain an Information Security Policy	12. Support information security with organizational policies and programs

The 4 goals of PCI DSS v4.0

Continue to meet the security needs of the payments industry.	Promote security as a continuous process.	Flexibility for entities to achieve security objectives.	Enhance validation methods and procedures.
Expanded multi-factor authentication and password requirements. New e-commerce and phishing requirements to address ongoing threats.	Clearly assigned roles and responsibilities. Added guidance on how to implement and maintain security. Reporting option to highlight areas for improvement.	Allowance of group, shared, and generic accounts. Targeted risk analyses empower organizations to establish frequencies for performing certain activities.	Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

What’s different?

Different Approaches

Security as a Process

Evolved Requirements

Entities may choose
the defined approach:

requirements are implemented as described in the PCI DSS,
OR
a customized approach:
entities can implement controls in a way that meets the requirement objectives.

Version 4.0 of the PCI DSS focuses on promoting data security as a constant process, rather than a periodic event. There are requirements to monitor the effectiveness of controls as part of a
Business as Usual process.

Requirements were updated or added to address current risks and technologies. Some changes in languages better accommodate cloud services.

The types of changes

Evolving requirement - Changes to ensure that the standard is up-to-date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.

Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.

Structure or format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.

New Requirements

New requirements were added

A total of 64 requirements have been added to version 4.0 of the PCI DSS.

New requirements become effective March 31, 2024

The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

New requirements only for service providers

11 of the new requirements are applicable only to entities that provide party services to merchants.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Authors

Petar Hristov

Bob Wilson

Search Code: 100045
Last Revised: November 28, 2022

TAGS:

PCI DSS, Payment Card Industry, Data Security Standards, Cardholder Environment, Sensitive Authentication Data, Credit Card, P2PE, Merchant, Compliance, Debit Card, Security Compliance

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019