If your business accepts credit card payments, you need to make sure you’re compliant with the new release, version 4.0, of the PCI DSS regulations, before midnight on March 31st, 2025.
PCI DSS Version 4.0
The Payment Card Industry Data Security Standard (PCI DSS) is the body of regulations that businesses who handle credit card payments (merchants) must comply with.
It was created by the big five credit card companies: Visa, MasterCard, American Express, Discover, and JCB. It comprises a set of security standards that ensure merchants process, store, and transmit card information in a secure way.
PCI DSS Version 3.2.1 has been mandatory since 2018. Its replacement, Version 4.0, was released on March 31, 2022. There is a grace period during which both the old and new standards may be in effect, allowing organizations time to transition. The standard continually evolves to keep pace with emerging threats, new technologies, and best practices.
Additionally, PCI DSS Version 4.0.1 was released on June 25, 2024, including various clarifications and minor adjustments to the requirements introduced in Version 4.0. The parts of Version 4.0 that become mandatory will be fully effective at midnight on March 31, 2025.
Version 4.0.1 runs to a massive 397 pages long, so we can’t cover everything in it in this article, but we’ve pulled out what are likely to be the big ticket items for the majority of small to medium businesses.
Talk To Your PCI Service Provider
If you use a payment partner such as WorldPay, or Opayo (SagePay’s new name), contact them and find out what they’ve done regarding PCI DSS 4.0, and what remains for you to do.
You might not need to put additional technical measures in place, if:
- You use card terminals provided by your payment processing partner that are encrypted, and provide a secure connection from the terminal to your PCI service provider’s systems
- You do not store any of the numbers from the cards, including the Primary Account Number (the PAN or long card number), the valid to/from dates, and the Card Verification Value (CVV) on the back of a card
- You do not store any of the data encoded in the stripe of the card
- You do not store any of the authentication data
However, if you retain any card data, or process payments in-house, or use payment terminals that access your regular network, then you must satisfy the technical requirements of the standard for increased security.
You might already meet some of the new requirements if you follow current PCI best practices. What PCI DSS 4.0 does, is make the recommended best practices mandatory.
Document Who Does What
Requirements 2 through to 11 all have a Defined Approach Requirements clause. They all state:
“Roles and responsibilities for performing activities in [this requirement] are documented, assigned, and understood.”
In other words, you must document which person is responsible for each of the different requirements. The same person could be responsible for many or all of these.
This is aimed at fostering a best security practices culture in your business. It also makes things simpler if you have an incident, because your teams should know who is going to do what. It’ll also provide guidance for auditors, should you be audited.
A detailed and robust incident response plan, detailing how to respond to, and recover from, a security breach, and who will perform those actions, is vital.
Speak to your PCI services provider first, and determine what responsibilities they are taking on, and what responsibilities you must shoulder. You must ensure that any third-party service providers you use comply with PCI DSS requirements, as they can impact the overall security of cardholder data.
The Big-Ticket Changes
These are the major items. As is always the case, the devil is in the details, so we encourage you to review the PCI DSS 4.0 regulations for yourselves.
1. Phishing Attack Defences
Because about 90% of successful cyber attacks start with a phishing or other social engineering attack, you must have defences against phishing attacks, and you must train your staff to recognize phishing attacks, and other attack indicators.
Cybersecurity awareness training is now mandatory, and must be given to new staff when they join, and at least annually for all other staff.
Staff must be tested, using techniques such as benign phishing campaigns. Failing staff must be retrained and retested.
2. Six Monthly Reviews of User Accounts
Every six months, you need to review the privileges granted to each user account. If they have higher privileges than their job or role requires, their privileges must be amended so that they have the minimum required privileges for their role.
3. Tighter password requirements
The minimum acceptable password length has been increased to 12 characters. Passwords must not be hard-coded in files or scripts.
4. Multi-factor Authentication to Card Data Environment
If you have a Card Data Environment (CDE), access to it must be secured with multi-factor authentication. This can be accomplished using app-based authentication or physical security fobs.
5. Automated Daily Log Reviews
Systems logs must be reviewed on a daily basis, and suspicious activity must be investigated. Note that the log reviews must be done automatically and logs need to be retained for a minimum of 12 months.
6. Penetration Testing and Vulnerability Scans
According to requirement 11.4, internal vulnerability and external penetration scans must be “regularly performed, and exploitable vulnerabilities and security weaknesses are corrected”.
New exposures and vulnerabilities are discovered all the time, which is why the scans need to be repeated periodically. You might already have penetration scans performed by your payment partner.
Vulnerability scans must be performed quarterly. Vulnerability scans are a similar process conducted inside your network, looking for issues such as deprecated software and unsupported or unpatched operating systems.
7. Technical Measures
Depending on your volumes of credit card transactions and their total monetary value, you might be required to implement a Managed Detection and Response system, or a Managed Extended Detection and Response system, which includes Threat Detection and Response. Continuous monitoring and regular testing of security systems and processes are vital to ensure ongoing compliance and security.
Intrusion and threat detection systems can detect system compromises that standard anti-virus and anti-malware end-point security cannot. End-point security must still be in place, of course, as it serves a different purpose.
Anti-phishing measures, such as Domain-based Message Authentication Reporting and Conformance (DMARC), need to be utilised.
Controls need to be in place to stop the copying of the Primary Account Number (the PAN or long card number) when using remote access software and to detect when a PAN is saved outside of the Card Data Environment.
Act Now, Don’t Delay
If you’re already operating under the PCI DSS, you’ll know that non-compliance can result in your payment partner refusing to process transactions, or impose extra charges until you are compliant once more.
We can’t cover the whole of an almost 400 page document in a short piece like this, so refer to the standard yourself (you’ll need to agree to a free license agreement), and consult your PCI service provider about what responsibility sits with them, and what sits with you, and whether you’re covered because of the nature of your payment terminals.
You will need thorough documentation and evidence of your compliance efforts, as these will be crucial during audits.
Of course, Pro-Networks are ready to assist. If you’ve got any questions or concerns, just let us know. We’re always pleased to help.