The newly published PCI DSS v4.0 is out and flexibility is the name of the game. The 360-page-long document details new concepts, including a new, customized approach to assessments in addition to expanded requirements.
The development of PCI DSS v4.0 was driven largely by industry feedback and is the result of 3 Requests for Comment (RFCs) on draft content, 6,000 pieces of feedback, and input from over 200 companies. Given the considerable changes, the implementation will happen iteratively over the next three years, and PCI DSS v3.2.1 will remain active for two years as organizations get familiar with the new requirements. More specifically, March 31, 2024 is when PCI DSS v3.2.1 will be retired and March 31, 2025 is when the future-dated new requirements will become effective.
The Goals of PCI DSS v4.0
The overarching theme of the new v4.0 is flexibility. As technology continues to evolve at lightning-fast speeds and processes transform in tandem, the new requirements have been issued to “ensure the standard continues to meet the security needs of the payments industry.”
One of the ways the new standard does this is by adding flexibility that supports a broader range of methodologies that are currently being employed ot achieve security. The new version also aims to promote security as a continuous – rather than static – process while also enhancing validation methods and procedures.
The Evolution of Authentication
As authentication measures have improved and morphed, v4.0 aims to provide added flexibility while also ensuring that protections remain in place even as fraud and breaches become more sophisticated. In its First Look at PCI DSS v4.0 video, the council outlines some critical points of the new requirements.
Multi-Factor Authentication
As the council notes, multi-factor authentication (MFA) is a critical data protection tool as evidenced by the frequent use of dual-factor authentication across a variety of applications many use daily. Some studies show that proper MFA use can prevent up to 99.9% of account data attacks, making it a valuable tool for security. The new version of PCI DSS requires MFA for all access to the CDE in addition to the existing MFA requirement for remote access from outside the entity’s network. These two occurrences for MFA were also the intention for v3.2.1, so clarity has been added in the new guidance in addition to new requirements for MFA system implementation.
Passwords and Passphrases
Feedback highlighted the reality that the 7-character system is no longer sufficient due ot computing power, so the password length has been increased from seven to 12 characters in v4.0. Additionally, the guidance retains the requirement to change passwords every 90 days, but only for systems that don’t have MFA (e.g. systems that are in scope for the assessment but not in the cardholder data environment).
Group, Shared, and Generic Accounts
The new guidance also provides more flexibility around group, shared, and generic accounts – the use of which was prohibited in version 3.2.1. In v4.0, these accounts can be used so long as the use is managed. Managed use calls for several elements, including a limited time frame, approval, actions attributable to individuals, and more.
Different Methods, Same Security Objectives
Feedback from stakeholders illustrated the need to meet the security objectives of the requirements using new and innovative technologies, prompting the council to explore additional options that organizations can use to meet PCI DSS requirements. This bore out into two validations methods for v4.0: the traditional method (defined approach) and a new method (customized approach).
The former follows the current PCI DSS requirements and testing procedures while the latter is more geared toward the objective of each PCI DSS requirement. The traditional method is optimal for entities that have security implementations already aligned with the current requirements, while the customized approach enables each entity to determine and implement controls to meet the outlined objectives.
What are your thoughts on the new requirements? If you’re looking for help digesting the new points and creating an implementation plan, contact us for a free consultation today.
