What Are the New PCI DSS 4.0 Requirements That May Affect Your Organization?
PCI DSS Applicability Information. This updated section will now clarify that some PCI DSS requirements may apply for entities that do not store, process, or transmit primary account number (PAN). This may require your organization to follow PCI requirements in functions where you may not have had to previously.
Scope of PCI DSS Requirements. The PCI standard has evolved to address ever-advancing technologies and platforms in the cybersphere. This includes an updated applicability of PCI DSS requirements and an updated definition of the cardholder data environment (CDE). Additionally, the scope of the requirements will now apply to cloud and other system components.
Encrypted Cardholder Data and Impact on PCI DSS Scope. The new standard addresses the longstanding issue of the unreliable security of disc encryption and details new encryption requirements including field and column level encryption. This also includes a new sub-section on Encrypted Cardholder Data and Impact to PCI DSS Scope for Third- Party Service Providers.
Description of Timeframes Used in PCI DSS Requirements. A significant change includes a new section written to clarify frequencies and timeframes specified in PCI DSS and related expectations.
Approaches for Implementing and Validating PCI DSS. A new section on this topic will explain and illustrate the two approaches, defined and customized, for implementing and validating PCI DSS.
Enhanced testing procedures to clarify the level of validation expected for each requirement. The new standard will provide additional and enhanced testing procedures for each requirement, which your PCI assessor can outline with you in more detail.
Testing Methods for PCI DSS Requirements. In the new standard, a new section is dedicated to describing testing methods for PCI DSS Testing Procedures and the corresponding activities to be performed by the assessor.
New testing requirements and solutions for malware. New requirements will define the frequency of periodic malware scans in the entity’s targeted risk analysis as well as a new requirement for removable electronic media malware solutions.
New requirements for user access and controls. This includes an updated review methodology for all user accounts and related access privileges and updated assignment and management of all application and system accounts and related access privileges.
Password requirement changes. The new standard will require that passwords increase in length from a minimum length of seven characters to a minimum length of 12 characters (if the system does not support 12 characters, a minimum length of eight characters). Multi-factor authentication (MFA) will also now be required for all access into the cardholder data environment. For service providers, PCI DSS 4.0 now requires passwords to be changed at least once every 90 days.
New requirements for third-party hosted/cloud service providers. These updates will require third-party hosting sites or cloud service providers to support their customers for external penetration testing and use intrusion-detection and/or intrusion-prevention techniques for malware mitigation.
New requirement for security awareness training. This will include training specific to threats and vulnerabilities that could impact the security of the cardholder data environment.
Best Practices for Implementing PCI DSS into Business-as-Usual Processes. The new standard has updated its best practices for implementing PCI DSS and provides detailed updates on each of the new standard modifications.