The changes are minor, but need to be reviewed regardless of merchant or service provider level.
The new Payment Card Industry Data Security Standards (PCI DSS) v4.0 has been effective since March 31, 2024, with minor updates issued in PCI DSS v4.0.1 that was published on June 11, 2024. The update is designed to improve security for payment card transactions, safeguarding sensitive information, maintaining trust in electronic payment systems, and reducing the likelihood of a data breach. The new technical security requirements in v4.0 are currently recommended as a best practice for now and not required to be in place until March 31, 2025. Note that the latest revision v4.0.1 has no additional or deleted requirements. PCI DSS v4.0 will be retired on December 31, 2024, and at that point forward, the only active version supported by the PCI Security Standards Council (PCI SSC) will be v4.0.1.
We have previously provided Insight articles intended to assist in your understanding of the changes, the timelines, and their effects on PCI compliance. As we have now passed the effective date for the requirements, we will summarize these changes for you and encourage you to communicate and carefully coordinate with your Qualified Security Assessor (QSA). It is important to communicate regularly with your QSA to ensure updates and changes to your overall security posture including administrative, technical, and physical security controls are implemented accordingly to meet the PCI requirements.
The new customized approach versus the defined approach to compliance with PCI DSS v4.0.1
The customized approach allows flexibility for the entity by being able to select which PCI requirements the entity desires to customize and requires additional documentation and a risk analysis for each customized approach. It should be noted that compensating controls are not allowed for achieving PCI requirements using the customized approach.
Evolving requirements make up of several changes that require additional and/or enhanced security protections, including defining the roles and responsibilities of the entity’s user accounts, additional encryption requirements, implementing an automated technical solution (web application firewall (WAF)) for public-facing web applications, management of all payment page scripts that are loaded and executed in the consumer’s browser, implementing multi-factor authentication for all access into the CDE, automating the audit log review process, monitoring failures in critical security controls, and authenticated internal vulnerability scanning.
Changes to the ROC template include scope exclusions, self-assessment questionnaires (SAQ) eligibility requirements, storage of SAD, managing third-party service providers, an in-scope component table, sample sets, internal vulnerability scans, and evidence tables.
Requirements that went into effect for all assessments beginning March 31, 2024 include documenting and assigning roles and responsibilities within each respective requirement, the requirement to document and confirm annually the scope of PCI compliance, and the requirement for performing the target risk analysis for each requirement met with the customized approach.
These additional requirements also change the SAQs. To comply with the updated standards, a thorough understanding of the scope of the environment and new requirements is necessary. The new customized approach is not allowable for SAQs.
If you have any inquiries regarding the content of this article or seek guidance on assessing your organization's credit card compliance, please don't hesitate to reach out to RubinBrown. We're here to provide assistance and support in navigating the intricacies of PCI DSS compliance.
Published: 09/17/2024
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.