PCI DSS 4.0: what do merchants need to know?

The Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0, or simply PCI 4.0) is the new global standard to safeguard payment account data against cyber attacks.

Issued by the PCI SSC (Security Standards Council) on March 31, 2022, PCI 4.0 supersedes the previous version, 3.2.1. After 4.0 was released, the PCI SSC announced that 3.2.1 would only remain in operation for two years, with this transitional period ending on March 31, 2024.

So if you haven’t already read up on what PCI 4.0 is, what new rules it’s introducing, and what your business needs to do to prepare for it, well – there’s no time like the present.

PCI 4.0 has 12 requirements to create and maintain a reliable and secure payment environment. But how much PCI 4.0 affects you – and what your exact responsibilities are in terms of compliance – depends on your business size, and on who’s responsible for protecting your customers’ account data: be that you, Checkout.com, or your ecommerce platform.

With the deadline for compliance fast approaching, we’re unpacking everything you need to know about PCI 4.0. What is PCI 4.0? What’s new with it? What are the 12 PCI 4.0 requirements – and how soon do you need to implement them?

Read on to find out.

What is PCI 4.0?

PCI 4.0 is the latest version of PCI DSS: a set of security standards all merchants accepting credit and debit card payments must adhere to.

These regulations provide a framework for businesses to follow to safeguard sensitive cardholder data, and ensure the efficient, error-free handling of card payment transactions. This helps protect both your customers and your company from online thieves, hackers, and fraudsters; and that goes not only for your business’s finances, but its reputation, too.

We won’t go into detail about what PCI DSS is, or its more general requirements – we do that in much greater detail in our comprehensive, merchant-focused guide to PCI compliance.

Here, we’re focused only on PCI 4.0, what’s new about it, and what it means for your business.

What’s new in PCI 4.0?

Informed by more than 6,000 pieces of feedback from 2,000+ organizations, PCI 4.0’s goal is to meet the changing security needs of businesses in a space where both technology and cyber threats are evolving at an ever-increasing pace.

So what’s new in PCI 4.0? Let’s take a look at just a few of the recent tweaks:

• PCI 4.0 enables custom implementation, giving your organization license to innovate in how you apply technology to achieve PCI compliance. This allows you to take a more flexible approach in adhering to PCI standards – providing you’re able to demonstrate that your business has coherent and cohesive compliance strategies.
• PCI 4.0 requires you to address all security vulnerabilities – not only the critical and high-risk ones mandated in version 3.2.1. This tweak is being introduced, in part, due to the ever-more-sophisticated nature of cyber attacks: which are exploiting increasingly minor systemic weaknesses to steal cardholder data and breach defenses.
• PCI 4.0 requires you to scan all USBs, external hard drives, and all other removable media with malware detection software. This is in response to, and to mitigate the impact of, a rising tide of malware- and ransomware-related attacks.
• PCI 4.0 mandates the use of multi-factor authentication to access cardholder data environments (CDE). This helps safeguard your business against account takeover attacks; and, should one of your employees fall prey to a social engineering attack, helps prevent cybercriminals from then successfully gaining access to your systems.
• PCI 4.0 demands more specific and frequent cyber security awareness training for your staff. You’ll need to provide training for your team every year – at least – and review this training material every 12 months. PCI 4.0 also provides guidelines around the topics you need to educate your employees around: name-checking phishing attacks and social engineering schemes specifically.
• PCI 4.0 requires you to increase the length of your passwords from a minimum of seven characters (in PCI 3.2.1) to a minimum of 12 characters. (Providing your system permits this, that is; otherwise, it’s a minimum of eight characters.)

We should note here that, while we’ve provided a top-level roundup of the key changes PCI 4.0 is introducing here, this list is by no means exhaustive. However, such an exhaustive – perhaps even a little exhausting – take does exist. Produced by PCI SSC, it’s called the Summary of Changes, and you can download all 36 pages of it from the PCI SSC website.

When does PCI 4.0 come into effect?

PCI 4.0 comes into effect on 1 April 2024, when it will become the only active PCI standard.

This represents two years after the standard was first announced, and marks the end of the transitional period away from the previous version, 3.2.1 – which, as of 31 March 2024, will be officially retired. This means that, as of 1 April 2024, you’ll need to ensure your business is compliant to the latest standard, 4.0 – not the one you’ve been used to complying with prior.

When to implement the PCI 4.0 requirements?

From 1 April 2024, PCI 4.0 compliance is mandatory – period.

However, the PCI SSC is offering a little leeway with some of the new requirements 4.0 introduces – particularly ones involving the addition of new technology or technical processes. 

As a result, you’ll have an extra year – until 31 March 2025 – to get your business compliant with these temporarily exempt PCI 4.0 requirements, of which there are almost 60.

Up until then, adopting these updated requirements isn’t mandatory, but instead simply ‘best practice’. This is good news for merchants, as it gives you a little more time to get to grips with the more technically demanding requirements PCI 4.0 ushers in. However, just because you have that extra time, it doesn’t mean you need to use it; and, when it comes to PCI compliance, the sooner you can get it done, the better.

Learn more: Opportunities presented by PCI DSS 4.0

The 12 PCI 4.0 requirements

Below, we lay out the 12 PCI 4.0 requirements. These maintain – and, in some areas, build on – the previous version of PCI, 3.2.1. They provide specific advice around the security strategies and processes your business must follow to stay PCI 4.0-compliant (assuming that these PCI responsibilities fall on you, and not your payment service provider or ecommerce platform).

Again, this list won’t (and can’t) cover each requirement in explicit detail. For that, we recommend visiting the PCI SSC website, or exploring the Summary of Changes document we’ve linked to above.

PCI 4.0 requirement 1: Establish and maintain network security controls

PCI SSC has always laid out specific requirements around installing and managing a network firewall. Firewalls monitor and control incoming and outgoing network traffic, based on predetermined security rules, to safeguard your cardholder data environment from unauthorized access. (You’ll need strong ones in place if you’re handling cardholder data.)

With PCI 4.0’s introduction, however, there’s been a pivot away from firewalls and routers, and more toward what the guidelines call network security controls (NSC).

Ultimately, though, this semantic switch feels more incidental than instrumental. Its main goal is to give your organization more freedom in how you configure and manage your security setup to protect cardholder data from outside threats and untrusted networks – and firewalls are still an excellent, and highly effective, way of doing that.

PCI 4.0 requirement 2: Don’t rely on default settings

When it comes to the vendor-supplied default settings – be they for network devices, applications, servers, firewalls, routers, or any software your business relies on – PCI 4.0 guidelines dictate that you should always change these to your own, stronger, alternatives.

Why? Because these products tend to come with weak, predictable, easily guessable passwords as standard – and that’s not good.

The revised PCI 4.0 guidelines again tweak the focus slightly (this time away from vendor-supplied defaults, and toward ‘secure configurations’) but it amounts to a similar thing.

PCI 4.0 requirement 3: Protect stored account and cardholder data

The third PCI 4.0 requirement is a crucial one, and centers around how you safeguard any account or cardholder data in your possession.

Of course, this won’t always apply to your business. If you process credit and debit card transactions through a payment service provider such as Checkout.com, for example, we’ll store that information for you – easing the heavier portions of your PCI 4.0 compliance burden.

But if you do store account and cardholder data, PCI 4.0 mandates that you algorithmically encrypt this data, and regularly scan it to make sure it stays this way. Of particular importance is protecting the PAN (primary account number), which is the number in front of the customer’s credit or debit card. There are several effective strategies – such as tokenization, which replaces the PAN with a random alphanumeric chain – to help you achieve this.

PCI 4.0 requirement 4: Encrypt cardholder data in the payment process

Just as PCI 4.0 requires you to safeguard cardholder data when it’s in storage, these guidelines also mandate this data’s encryption when it’s in use, too. (For instance, when you’re using saved PANs to bill a customer for a recurring service, like a subscription or membership.) This is especially important considering that hackers love to target in-motion data, as there are more links in the chain of transmission to identify and exploit.

Again, payment tokenization is an excellent way to ensure that cardholder data stays safe when it’s in use – especially with PCI 4.0 calling for “strong cryptography” of transmitted data.

PCI 4.0 requirement 5: Improve and update your malware protection

The fifth PCI 4.0 requirement is all about protecting your business’s systems and networks from malicious software. This has always been a facet of PCI, but the newest version allows scope for your organization to adopt more advanced, emerging technologies – such as artificial intelligence (AI)- and machine learning (ML)-based threat prevention tools – into your defense.

This requirement comes as a response to the increasing threat of malware (which was identified, by 2,300 cybersecurity decision-makers from large organizations, as the single greatest cyber threat) in 2024. In addition to installing reputable anti-malware software, PCI 4.0 mandates that you also keep it regularly updated and maintained to a high standard.

PCI 4.0 requirement 6: Keep your apps updated and maintained

The sixth PCI 4.0 mandate – which does have some overlap between several of the other requirements here – is all about securing your systems and software. (Think firewalls, antivirus software, POS systems – the lot.) PCI 4.0 best practice also requires you to keep the security settings of all your software and hardware regularly updated with the latest patches and fixes, and keep up-to-date documentation around your security- and systems-hardening processes.

With the expanded focus of PCI 4.0, though, requirement 6 now covers not only your business’s applications, but all software involved in the payments process.

Part of this includes:

• Keeping and maintaining an inventory of any bespoke or custom software you use
• Using Web Application Firewalls (WAF) to detect and prevent web-based attacks
• Managing scripts loaded and executed on account holders’ browsers

Again, we don’t want to get into too much detail here – remember, the PCI SSC’s website is the best place to go for that.

For a top-level summary of the remaining 12 PCI 4.0 requirements, though, read on.

PCI 4.0 requirement 7: Limit who has access to cardholder data

If the other PCI guidelines monitor what information you’re storing or how you’re storing it, requirement 7 looks at who has access to your organization’s sensitive cardholder data.

PCI 4.0 mandates that your business must have the ability to allow or deny access to this data based on individual permissions and roles within your organization.

Essentially, it states that cardholder data can only be accessed on a ‘need-to-know’ basis – not by every employee who feels like taking a peek. (This holds for both digital and physical access, too – for more details on the latter, scroll down to requirement 9.)

What’s more, PCI 4.0 introduced the requirement for an ongoing account and access review process, meaning you need to evaluate (and, if necessary, update) user roles and permissions every six months; and grant access only on a ‘least privilege’ basis. (This ensures that users with access to cardholder data have only the minimum amount of access required to do their job, and no more.) 

PCI 4.0 requirement 8: Identify and authenticate users

The eighth PCI 4.0 guideline requires that all users with access to cardholder data have their own unique, individual passwords and usernames to get in. This serves a dual purpose: safeguarding this data from external hackers, while making it possible to trace any activity back to the user who accessed it – knowledge which is vital in the case of an internal breach.

PCI 4.0 tweaked the rules around requirement 8 significantly, with the biggest change around password-setting. Under PCI 4.0, user passwords must be a minimum of 12 characters, and passwords for application and system accounts must be changed as often as a targeted risk assessment deems fit. (The change frequency is linked to password complexity: shorter passwords will require more frequent changes; more complex passwords will need fewer.)

The other key change PCI 4.0 is mandating to requirement 8 is that organizations must now implement multi-factor authentication for all users with access to cardholder data – not just administrators. PCI 4.0 also requires MFA systems to be attack-resistant, and for businesses to maintain strict control over administrative overrides.

PCI 4.0 requirement 9: Restrict physical access to cardholder data

PCI 4.0 compliance requires you to manage employee access to cardholder data not only on a digital basis, but on a physical one – preventing unauthorized access to paper files, work stations, or servers that store or transmit sensitive information. You can do this through an access control system in your building, and by ensuring sufficient CCTV coverage of key areas.

The only new requirement PCI 4.0 adds here is for a periodic review of your business’s point of sale (POS) devices, based on a targeted risk analysis. PCI 4.0 also clears up some of the language around the three physical areas requirement 9 covers: sensitive, CDE, and facilities.

PCI 4.0 requirement 10: Log and monitor all system access

This PCI 4.0 requirement requires you to log your network resources and cardholder data: keeping accurate records of every time someone at your organization accesses this information.

Doing this properly also helps you maintain accurate documentation around sensitive data: including why and how it’s being handled, and where it’s being stored and sent to.

Under PCI 4.0, organizations must:

• Conduct automated log reviews, and – as a best practice – deliver a daily report to their SecOps or InfoSec team.
• Detect and alert security personnel for critical control system failures, such as a loss of network connectivity, and promptly manage these failures when they occur.

PCI 4.0 requirement 11: Test the security of your systems and networks

Under PCI 4.0, regular testing of your processes, networks, and systems – which you can achieve through techniques like vulnerability testing and penetration testing – is vital.

You’ll also need to conduct regular wireless analyzer scanning – typically on a quarterly basis – and to have a PCI-Approved Scanning Vendor (ASV) to conduct checks on your external IPs and domains. On top of identifying these vulnerabilities or leaks in your existing security setup, you’ll also be responsible for addressing them. This will help ensure your systems stay secure – and that you’re doing your bit to protect your customers’ data.

PCI 4.0 requirement 12: Prioritize information security

The final PCI 4.0 requirement calls for your organization to develop and maintain an information security (infosec) policy. Aim to review this manually going forward, and to encourage buy-in from employees, management, and any third parties it’ll be relevant to.

As per the latest changes PCI 4.0 is introducing, you’ll also need to review and update your security awareness program every 12 months. This includes incorporating new content to cover the latest threats and vulnerabilities, and ensuring your team knows how to detect, react to, and report potential cyber attacks. You’ll also need to shore up your incident response procedures to make sure your team can react quickly and correctly in case of PAN exposure.

How does Checkout.com manage PCI DSS 4.0 compliance?

Regardless of your responsibilities, you must review and validate your PCI DSS certification once a year. Qualified Security Assessors (QSAs) are independent individuals and organizations approved by the PCI Security Standards Council that validate your PCI DSS compliance, help you choose the right PCI 4.0 self-assessment questionnaire (SAQ) for your business, and support you through the entire process.

Checkout.com partners with SecurityMetrics, a QSA company, to help merchants with PCI DSS compliance. SecurityMetrics will contact you annually for review and validation if you’ve chosen to use them during your application.

SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.