& Incident Response (DFIR)
& Response (MDR)
- Remediation & Other Security Services
- Digital Forensics
- Contact Us
The Payment Card Industry Data Security Standard (PCI DSS) requires enterprises that store, handle, or transfer payment card data to secure cardholder data.
With the announcement of PCI DSS 4.0, many organizations wonder what needs to change with their current policies and practices and how to get started.
The information below provides a comprehensive review of the information your organization needs to know about the new PCI DSS 4.0 standard, including:
- What are the levels of PCI compliance?
- When does PCI DSS 4.0 go into effect?
- How can I ensure PCI DSS 4.0 compliance?
- What are the new PCI DSS 4.0 requirements that may affect your organization?
What is the PCI DSS Council?
The Payment Card Industry Data Security Standards (PCI DSS) Council comprises a group of financial institutions, including MasterCard, Visa Inc., American Express, JCB International, and Discover Financial Services. The goal of the council is to manage the continuing evolution of the PCI DSS. It works constantly to monitor threats and adapt the security standards accordingly. The council also supports services that drive awareness, education, and implementation of PCI DSS by security professionals and other stakeholders.
What Are the 4 Levels of PCI Compliance?
There are two types of entities required to report on PCI: service providers and merchants. PCI DSS compliance stipulations vary depending on the number of card payments a merchant processes each year. A greater volume of payments is associated with a higher level of risk for security incidents and requires more stringent regulation. In general, these levels are established by a merchant or service provider’s acquiring bank. Transaction volumes numbers are set by the card brands and are slightly different for each. A merchant’s level can also change as a result of a past data breach.
The levels of PCI compliance that apply to merchants who take card payments for a good or service are:
- Level 1: Processes more than 6 million transactions (all channels) per year or has experienced a data breach.
- Level 2: Processes 1–6 million transactions (all channels) per year.
- Level 3: Processes 20,000–1 million transactions (online) per year.
- Level 4: Processes fewer than 20,000 transactions (online) or up to 1 million transactions (regular) per year.
It should be noted that these levels reflect each brand. To reach the 6 million threshold for Level 1 requires 6 million Visa transactions. Technically, a merchant processing 3 million Visa transactions and 3.1 million Mastercard transactions would be a Level 2.
Service Providers are defined as organizations that process payments or interact with cardholder data on a merchant or service provider's behalf.
Service provider levels of PCI compliance are defined as Level 1 and Level 2.
- Level 1: This includes service providers that process 300,000+ transactions and these entities must perform an on-site assessment with a QSA using a Report on Compliance (RoC).
- Level 2: This includes service providers that process 300,000 transactions or less. These service providers do not require an on-site audit. They may self-assess using the SAQ-D for Service Providers.
When Does PCI DSS 4.0 Go Into Effect?
On March 31, 2022, the Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS 4.0).
PCI DSS v4.0 includes a number of new requirements which are noted in this document as either:
- Effective immediately for all PCI DSS v4.0 assessments.
- Best practice until March 31st, 2025, which is when the new standard must be fully used during a PCI DSS assessment.
All PCI DSS v3.2.1 requirements will remain active until v3.2.1 is retired on March 31st, 2024.
How Can You Ensure PCI DSS 4.0 Compliance?
The evolving versions of the PCI DSS build upon each preceding publication. As such, you can expect that you won’t have to start from scratch when it comes to adhering to the standards, but rather tweak or add to existing processes. It’s also worth noting that merchants are not expected to comply with changes to the standards immediately and will have time to plan and implement new control measures.
The updates to PCI DSS v4.0 address evolving risks and threats to payment data and are designed to reinforce security as a continuous process. The new standard also focuses on supporting organizations using different security technologies that meet the intent of PCI DSS requirements.
There are three types of changes in the PCI standard:
- Evolving requirements which will ensure that the standard is up to date with emerging threats and technologies and changes in the payment industry.
- Clarification or guidance that updates wording, definitions, guidance, and instructions to increase understanding on a particular topic.
- Structure or format changes involve the reorganization of content, including combining, separating, and renumbering of requirements to align similar content.
What Are the New PCI DSS 4.0 Requirements That May Affect Your Organization?
PCI DSS Applicability Information. This updated section will now clarify that some PCI DSS requirements may apply for entities that do not store, process, or transmit primary account number (PAN). This may require your organization to follow PCI requirements in functions where you may not have had to previously.
Scope of PCI DSS Requirements. The PCI standard has evolved to address ever-advancing technologies and platforms in the cybersphere. This includes an updated applicability of PCI DSS requirements and an updated definition of the cardholder data environment (CDE). Additionally, the scope of the requirements will now apply to cloud and other system components.
Encrypted Cardholder Data and Impact on PCI DSS Scope. The new standard addresses the longstanding issue of the unreliable security of disc encryption and details new encryption requirements including field and column level encryption. This also includes a new sub-section on Encrypted Cardholder Data and Impact to PCI DSS Scope for Third- Party Service Providers.
Description of Timeframes Used in PCI DSS Requirements. A significant change includes a new section written to clarify frequencies and timeframes specified in PCI DSS and related expectations.
Approaches for Implementing and Validating PCI DSS. A new section on this topic will explain and illustrate the two approaches, defined and customized, for implementing and validating PCI DSS.
Enhanced testing procedures to clarify the level of validation expected for each requirement. The new standard will provide additional and enhanced testing procedures for each requirement, which your PCI assessor can outline with you in more detail.
Testing Methods for PCI DSS Requirements. In the new standard, a new section is dedicated to describing testing methods for PCI DSS Testing Procedures and the corresponding activities to be performed by the assessor.
New testing requirements and solutions for malware. New requirements will define the frequency of periodic malware scans in the entity’s targeted risk analysis as well as a new requirement for removable electronic media malware solutions.
New requirements for user access and controls. This includes an updated review methodology for all user accounts and related access privileges and updated assignment and management of all application and system accounts and related access privileges.
Password requirement changes. The new standard will require that passwords increase in length from a minimum length of seven characters to a minimum length of 12 characters (if the system does not support 12 characters, a minimum length of eight characters). Multi-factor authentication (MFA) will also now be required for all access into the cardholder data environment. For service providers, PCI DSS 4.0 now requires passwords to be changed at least once every 90 days.
New requirements for third-party hosted/cloud service providers. These updates will require third-party hosting sites or cloud service providers to support their customers for external penetration testing and use intrusion-detection and/or intrusion-prevention techniques for malware mitigation.
New requirement for security awareness training. This will include training specific to threats and vulnerabilities that could impact the security of the cardholder data environment.
Best Practices for Implementing PCI DSS into Business-as-Usual Processes. The new standard has updated its best practices for implementing PCI DSS and provides detailed updates on each of the new standard modifications.
PCI DSS 4.0: PCI Qualified Security Assessor Services (PCI QSA)
As you consider the changes required to meet the new PCI DSS 4.0 requirements, it’s best to reach out to your PCI Qualified Security Assessor (PCI QSA) for more information.
What is a Qualified Security Assessor Services (PCI QSA)?
The PCI Security Standards Council operates a program through which security companies become Qualified Security Assessors (QSAs). Organizations can hire a certified QSA as an impartial third party to assess and advise on PCI DSS compliance.
Upon assessment, the QSA can determine if all PCI requirements are met and can issue a Report on Compliance (ROC) which confirms adherence to the standards.
Why Choose Intersec Worldwide PCI QSAs?
Intersec Worldwide’s PCI QSAs differentiate themselves in the industry in several ways. Our qualified assessors have more than 15 years of experience completing PCI assessments. Additionally, our assessors have a combined background in technical applications and operational functions, allowing us to better understand the requirements.
This technical knowledge means we can interpret and apply the standards based on real-world applications and with a deep knowledge of best practices and what’s possible in your unique environment.
Our focus on hands-on observations and large sample sizes means we offer a more thorough and accurate approach to PCI compliance services.
Learn more about our PCI process here.