December 4, 2024

Preparing for PCI DSS v4.0 Future-Dated Requirements

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is designed to adapt to the evolving cybersecurity landscape and strengthen the protection of payment card data. One of the key components of PCI DSS v4.0 is the introduction of future-dated requirements, which provides organizations with additional time to meet the standard’s new security controls. These requirements represent significant additional effort and investment for assessed entities, becoming mandatory after March 31, 2025—marking one year after version 3.2.1 was officially retired.   It’s crucial that organizations begin preparing now, as these changes may take considerable time to implement. The good news is that many organizations will already have some of these requirements in place, as some align with security best practices and other compliance framework mandates. 

Reviewing Future-Dated Requirements: Significant Effort and Modern Security Practices 

The future-dated requirements in PCI DSS v4.0 (those indicated as “a best practice until 31 March 2025”) are more than just compliance obligations—they incorporate modern cybersecurity best practices. Although they may require significant changes to in-scope environments, these practices not only enhance security and meet compliance, but also help mitigate other risks. These changes must be reviewed and addressed immediately to avoid scrambling to meet deadlines and to ensure the security of your cardholder data environment (CDE). 

Some of the key future-dated requirements include: 

  • Disk-level encryption will no longer qualify as encryption at rest, except on removable electronic media (Requirement 3.5.1.2). For other media, disk-level encryption solutions will not be compliant for PCI DSS. Organizations will need to move to more granular encryption strategies, such as file-or column-level encryption for the database or a data-level encryption method applied prior to storage. Certificates used for transmitting Primary Account Numbers (PAN) over open, public networks must be valid and not expired or revoked (Requirement 4.2.1). This requirement ensures secure communications and prevents attackers from exploiting weak or expired certificates. 
  • Additional inventories must be developed and maintained, covering: 
    • Trusted keys and certificates (Requirement 4.2.1.1) 
    • Bespoke or custom software, including third-party components (Requirement 6.3.2) 
    • Payment page scripts (Requirement 6.4.3) 
    • Cipher suites and protocols (Requirement 12.3.3) 

Maintaining accurate inventories of these components is critical to ensure transparency and control over the security of your CDE. 

  • All in-scope systems must be periodically evaluated for susceptibility to malware (Requirement 5.2.3.1). It’s essential to have clear procedures for determining which systems are vulnerable to malware and implementing controls accordingly. It’s essential that organizations define this term within the context of their own environment. 
  • Removable media must be scanned or continuously analyzed for malware (Requirement 5.3.3), addressing the risks associated with external devices. Malware introduced through removable media continues to be a major threat vector, and organizations need proactive defenses. 
  • Processes and automated mechanisms to protect against phishing must be implemented (Requirement 5.4.1). Phishing remains one of the most common attack vectors, and automating defenses, such as email filtering and link scrubbers is now a requirement. 
  • Public-facing web applications must be protected by an automated technical solution like a web application firewall (WAF) (Requirement 6.4.2). Manual application review will no longer suffice, highlighting the need for ongoing, automated defenses against application-layer attacks. 
  • Payment page scripts must be managed to ensure authorization and integrity (Requirement 6.4.3). This requirement addresses the risk of malicious script injections, which can compromise payment data at the point of transaction. 
  • Automated Mechanisms for Change Detection: Under PCI DSS v. 4.0, Requirement 11.6.1 mandates organizations to implement automated mechanisms that monitor and detect changes to critical files, including operating system files, application files, and configuration files. These changes must be logged, reviewed, and any unauthorized modifications should trigger an alert. This proactive approach helps organizations swiftly identify potential security threats and respond to suspicious activities before they escalate into breaches. 

User Account and Password Management: Strengthened Controls 

Managing user access is a core component of PCI DSS, and v4.0 introduces additional controls to enhance security: 

  • User accounts must be reviewed at least every six months (Requirement 7.2.4), and application and system accounts must also be reviewed periodically (Requirement 7.2.5). This separation ensures that both user access and system-level access are tightly controlled. 
  • Where passwords are used, stricter guidelines must be followed: 
    • Minimum password length must be 12 characters, unless the system cannot support it, in which case 8 characters is the minimum (Requirement 8.3.6). 
    • Passwords cannot be hard coded into systems (Requirement 8.6.2). 
    • Multi-factor authentication (MFA) is required for all access into the CDE, not just for privileged access (Requirement 8.4.2). With PCI DSS v4.0, multi-factor authentication (MFA) is now required for any user accessing the cardholder data environment (CDE), whether through a network or an application. The only exception is for direct physical (console) access. This means that even if a user connects to a network that’s part of the CDE, they must complete an MFA step. However, once a user performs MFA to enter the CDE (e.g., by connecting to the CDE network), they do not need to repeat MFA when accessing applications hosted on that network. The MFA is required only at the initial point of entry. 
    • Vulnerability Management and Encryption Updates 

PCI DSS v4.0 introduces more rigorous requirements around vulnerability management: 

  • Internal vulnerability scans must be authenticated (Requirement 11.3.1.2),  Internal vulnerability scans must be enabled to use credentials from an account with privileged access to check for vulnerabilities using a privileged account.”  
  • Identified vulnerabilities, even if not ranked as high-risk or critical, must still be addressed based on frequencies defined in the organizations targeted risk analysis (Requirement 11.3.1.1). This means that low- or medium-risk vulnerabilities cannot be ignored—they must be assessed and mitigated as appropriate. 
  • Cryptographic suites and protocols must be formally reviewed annually, with active monitoring of industry trends (Requirement 12.3.3). This ensures that encryption mechanisms remain current and secure, especially as cryptographic standards evolve. 
  • All hardware and software technologies in use must be formally reviewed annually to ensure they are effective and not reaching “end of life” (Requirement 12.3.4). 

Incident Response and Other Key Changes 

PCI DSS v4.0 also updates incident response requirements to reflect the need for more specific planning: 

  • The incident response plan must address incidents where PAN is found outside of authorized locations (Requirement 12.10.7), providing clear steps for containing and addressing potential data breaches involving sensitive cardholder data. 

These changes highlight the need for businesses to take a proactive approach to security and compliance, ensuring that both operational and security practices align with PCI DSS v4.0. 

Final Thoughts: Start Preparing Now 

Given the significant changes and additional effort required by the future-dated requirements, organizations should start planning now to ensure timely compliance. Work closely with your Qualified Security Assessor (QSA) to fully understand the scope and impact of these changes on your environment, as differences may apply based on details of your CDE, in scope environment, and your compensating controls or customized approaches for requirements. The effort you invest in preparation today will pay off in stronger security and smoother PCI assessments in the future. 

By addressing these requirements now, you not only prepare for compliance but also strengthen your overall security posture, ensuring a more resilient defense against the evolving threat landscape. 

We Can Help 

Tevora’s experienced experts can answer any questions about PCI and would welcome the opportunity to help you meet compliance standards. Just give us a call at (833) 292-1609 or email us at sales@tevora.com