Payment Card Industry Data Security Standard version 4.0 Changes and the Impact to Self-Assessments

The new Payment Card Industry Data Security Standards (PCI DSS) compliance framework version 4.0 calls for several changes to the Standards that impact the various Self-Assessment Questionnaires (SAQs). 
 
It should be noted that while the biggest change with version 4.0 may be that entities have the option of using the new customized approach versus the defined approach, this article will not discuss the customized approach because it is not permitted to be used when completing a Self-Assessment Questionnaire. 

In addition to the rollout of the customized approach, there are several other changes (refer to the Table below), which the PCI Security Standards Council (SSC) has categorized as follows:  

• Evolving requirements - Changes to ensure that the standard is up to date with emerging threats and technologies. 
• Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction within the introductory sections of the Report on Compliance (ROC) and to individual requirements.
• Structural or formatting changes - Reorganization of content, including combining, separating, and renumbering of requirements to align content.

Finally, each of the 12 PCI DSS Requirements call for the assignment of roles and responsibilities for all activities in each respective requirement, impacting SAQ D.  
Several changes require additional and/or enhanced security protections impacting various SAQs, such as the following: 

Details for requirements noted in the table above:

• 3.3.2 – Sensitive authentication data (SAD) storage
• 3.5.1.2 – Disk-level encryption
• 6.4.2 – Deploying an automated technical solution (web application firewall (WAF)) for public-facing web applications that detects and prevents web-based attacks
• 6.4.3 – Management of all payment page scripts that are loaded and executed in the consumer’s browser
• 8.4.2 – Implementing multi-factor authentication for all access into the CDE
• 10.4.1.1 – Audit log reviews are automated
• 10.7.2 – Monitoring failures in critical security controls such as firewalls, intrusion detection systems (IDS) / intrusion prevention systems (IPS), change detection solutions, antimalware, logical access controls, and physical access controls
• 11.3.1.2 – Authenticated internal vulnerability scanning
• 12.5.2 – Perform a formal PCI compliance scope confirmation on an annual basis

Additional Information regarding Self-Assessment Questionnaires

• Same list of SAQs as previously available with v3.2.1 (i.e., A, A-EP, B, B-IP, C, C-VT, P2PE-HW, D for Merchants, and D for Service Providers)
• Updated requirements in SAQs are similar to the full ROC updates
• SAQs are not eligible for the customized approach

Timelines

Requirements that are effective immediately with any v4.0 assessment (and all assessments beginning 3/31/2024) include:

• documenting and assigning roles and responsibilities within each respective requirement,
• the requirement to document and confirm annually the scope of PCI compliance, and
• the requirement for performing the target risk analysis for each requirement met with the customized approach.

We recommend beginning your assessment of the PCI DSS v4.0 framework now.

If you have any questions about this article or have questions about assessing your credit card compliance, please reach out to a RubinBrown professional.