The Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0) is the new global standard to protect payment account data against cyber-attacks.

PCI DSS has 12 requirements to create and maintain a reliable and secure payment environment. How much PCI DSS 4.0 affects you depends on your business size and whether you, Checkout.com, or your ecommerce platform is responsible for protecting your customers’ account data.

PCI DSS 4.0 requirements to have defined roles and responsibilities for protecting cardholder data will take effect in April next year. Most technical requirements to improve how businesses and PSPs handle payment account data will take effect from 2025.
‍

Who is responsible for protecting payment account data?

This depends on your integration method. If you use Frames, Hosted Payment Pages, Payment Links, our Mobile SDKs, or one of our supported ecommerce platforms, Checkout.com and/or your ecommerce platform have more (but not all) responsibility for protecting this data.

You’ll see changes to your Self-Assessment Questionnaire(SAQ) because of PCI DSS 4.0, but the most significant impact will be on Checkout.com or your platform.

Checkout Technology Ltd, a company within the Checkout.com group, is a certified PCI DSS Level 1 Service Provider - the highest standard set by the payment card industry.

Using our Full Card API gives you more responsibility for account data. If you use this integration method, we strongly recommend reading the changes below in full. From April 1, 2024, your SAQ-D will begin to reflect the PCI DSS 4.0 requirements, with further changes from April 1, 2025.
‍

How does Checkout.com manage PCI DSS compliance?

Regardless of your responsibilities, you must review and validate your PCI DSS certification once a year. Qualified Security Assessors (QSAs) are independent individuals and organizations approved by the PCI Security Standards Council that validate your PCI DSS compliance, help you choose the right SAQ for your business, and support you through the process.

Checkout.com partners with SecurityMetrics, a QSA company, to help merchants with PCI DSS compliance. SecurityMetrics will contact you annually for review and validation if you’ve chosen to use them during your application.

SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.
‍

What’s new in PCI 4.0?

PCI 4.0 introduces a new, customized approach in addition to the defined approach for validation. Organizations can use targeted risk analysis based on their risks to determine some areas of responsibility.

There are more stringent requirements for security approaches, such as those around account data encryption, use of security software and hardware, training of personnel, and incident response.

Finally, there are new definitions. If you’re familiar with PCI DSS terminology, you may have noticed that this article talks about account data instead of cardholder data. PCI DSS 4.0 focuses more on account data, although elements are still specific to card details.

‍

What to do if you use our Full Card API

If you use our Full Card API, you should begin assessing the requirements now. The sooner you understand what PCI DSS 4.0 means for your business, the sooner you can plan and prioritize the work.

Understand the version 4.0 requirements, map them against your current security controls, and analyze how they’ll affect your business. You might already meet some 4.0 requirements, so prioritize efforts where they are most needed.

You could consider transitioning to the customized approach, with some security controls and reviews defined by targeted risk analysis. If you want to transition, you should understand what’s needed and verify that you meet the new requirements.
‍

Useful links

• Checkout.com blog - what is PCI Compliance?
• PCI Security Standards Council - PCI DSS 4.0 resource hub‍
• SecurityMetrics learning center - PCI DSS 4.0
  ‍
  ‍

Changes to PCI DSS requirements in 4.0

Here’s the detail of what’s coming in PCI DSS 4.0. This list is not exhaustive, and we recommend reading the new standard in full and speaking to your QSA if you need more information about how the changes affect you.

Requirement 1: Install and maintain network security controls

The requirement now focuses on Network Security Controls(NSCs) instead of firewalls, routers, etc., to account for modern network security apparatuses.

Requirement 2: Apply secure configurations to all system components

PCI DSS 4.0 focuses on secure configurations, instead of vendor-supplied defaults.

Requirement 3: Protect stored account data

Here, PCI DSS 4.0 introduces new requirements, focusing on account data instead of cardholder data. The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Store Sensitive Authentication Data (SAD) before completing authorization and follow data retention and disposal policies (best practice until 2025).
  
• Encrypt SAD. This means users of cloud-based APIs must encrypt and follow data retention and disposal policies as above (best practice until 2025).
  
• Have technical controls for remote technologies like VPN, SSH, Remote Desktop, etc., to prevent users from copying or relocating PANs (best practice until 2025).
  
• Include keyed cryptographic hashes of the entire PAN in one-way hashes used to encrypt PANs and use a PCIDSS-compliant key management process (best practice until 2025).
  
• Render the PAN unreadable on non-removable media using disk or partition-level encryption. This can’t rely on workstation or server-level encryption. Encryption can include hashing, truncation, or tokens and will become the only permitted way to secure removable media like flash drives or external hard drives (best practice until 2025).

Additionally, there is clarified wording on Primary Account Number (PAN) masking, defined as the “Bank Identification Number (BIN) and the last four digits” only.

Requirement 4: Protect account data with strong cryptography during transmission over open, public networks

PCI DSS 4.0 focuses on using strong cryptography to protect data transmission. The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Use valid certificates to send PANs over open or public networks. These must not be expired or revoked (best practice until 2025).
• Keep an inventory of trusted keys and certificates to ensure these are valid and have not expired (best practice until 2025).

Requirement 5: Protect all systems and networks from malicious software

PCI DSS 4.0 aims to protect all systems and networks from malicious software. This allows for more technologies, including host-based techs like AI and ML-based threat detection.

The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data can:

• Define frequencies for ASV and penetration testing based on their specific risks under the customized approach. If they don’t use antivirus or anti-malware solutions for every system, they can define the frequency of new risk (best practice until 2025).
  
• Define the frequency of malware scans under the customized approach, using targeted risk analysis to justify their reasoning for the chosen period (best practice until 2025).

Additionally, they must:

• Scan removable electronic media inserted or connected to a machine with anti-malware solutions, with continuous behavioral analysis of systems to protect against malware (best practice until 2025).
• Introduce processes to protect personnel against email phishing, including DMARC, SPF, and DKIM (best practice until 2025).

Requirement 6: Develop and maintain secure systems and software

This requirement now covers all software involved in the payment process instead of just applications. The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Keep and maintain an inventory of bespoke and custom software (best practice until 2025).
• Use Web Application Firewalls (WAFs) or equivalent solutions to protect public-facing web applications by detecting and preventing web-based attacks. These must be actively running, up to date, generate audit logs, and either block or alert for attacks. They must investigate and evidence investigation and audit logs in audits (best practice until 2025).
• Manage scripts loaded and executed on account holders' browsers by confirming their authorization and integrity and keep a script inventory (best practice until 2025).

Requirement 7: Restrict access to account data by business need-to-know

The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Have an ongoing account and access review process, reviewing and updating user accounts and access every six months to ensure they’re appropriate to the user’s role. They must record management confirmations to prove users have the proper access (best practice until 2025).
• Provide least-privilege application and system account access so that users accessing account data have the least privileges necessary for their role (best practice until 2025).
• Periodically review application and system accounts. Under the customized approach, they can use targeted risk analysis to define the review frequency (best practice until 2025).

Requirement 8: Identify users and authenticate access to system components

PCI DSS 4.0 standardizes the terms for authentication factor and authentication credentials. The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Set user passwords that are 12 characters minimum. Systems that don’t support this must change to allow eight characters instead of seven (best practice until 2025).
• Use Multi-Factor Authentication (MFA) for all users with access to cardholder data, not just administrators. This excludes automated applications, system accounts, or point-of-sale users processing one transaction at a time (best practice until 2025).
• Ensure MFA systems can resist attacks and strictly control administrative overrides (best practice until 2025).
• Manage accounts with interactive access to limit their permissions and access. This could be as simple as generating programmatic access keys for a cloud system that does not require interactive login (best practice until 2025).
• Not hard-code passwords and passphrases for applications and systems (best practice until 2025).
• Change passwords and passphrases for application and system accounts periodically (as targeted risk analysis deems appropriate). The change frequency should be linked to the complexity. Long passwords = fewer changes, and short passwords = more changes (best practice until 2025).

Requirement 9: Restrict physical access to cardholder data

PCI DSS 4.0 covers three areas: sensitive, Cardholder Data Environment (CDE), and facilities. Each requirement now states which area it covers, and the only new requirement is for a periodic review of POS devices, defined by targeted risk analysis.

Requirement 10: Log and monitor all access to system components and account data

PCI DSS 4.0 replaces wording around ‘audit trails’ with ‘audit logs.’ The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Conduct automated log reviews. As a best practice, they should deliver a daily report to their SecOps/InfoSec team (best practice until 2025).
• Detect and alert security personnel for critical control system failures, such as when they lose network connectivity or go offline, among other failures defined for the data handler’s particular environment (best practice until 2025).
• Promptly manage failures of critical control systems (best practice until 2025).

PCI DSS 4.0 allows for periodic log reviews for lower-risk components, defined by targeted risk analysis. Lower-risk system groups must have valid and justified reasoning for their grouping (best practice until 2025).

Requirement 11: Test the security of systems and networks regularly

The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Assess non-critical vulnerabilities identified in scans periodically, with the frequency defined in targeted risk analysis, and address them within a defined and documented period (best practice until 2025).
• Conduct authenticated vulnerability scanning. This means the scanner can log in to the systems it’s scanning to perform detailed checks. Their credentials should be documented, privileges sufficient, and accounts managed as with any other user accessing account information (best practice until 2025).
• Update payment pages to validate and alert personnel to unauthorized HTTP header and payment page content modifications that consumer browsers receive to prevent skimming attacks. Cyber Security Partners (CSPs) should monitor these pages weekly or periodically, as defined by targeted risk analysis (best practice until 2025).

Requirement 12: Support information security with organizational policies and programs

PCI DSS 4.0 reinforces continuous processes around information security. The new requirements mean that merchants, ecommerce platforms, and PSPs handling account data must:

• Perform targeted risk analysis for any flexible requirements mentioned above (best practice until 2025)..
• Perform targeted risk analysis for any customized approaches. This is new in PCI DSS 4.0 and differs from compensating controls, as it lets them define how to meet the requirement (effective immediately).
• Maintain an inventory of cryptographic cipher suites and protocols. This must include suites and protocols in use, their purpose, and how they’re used. They must monitor and address known cipher suite and protocol vulnerabilities (best practice until 2025).
• Include hardware and software in PCI DSS inventories and review and validate them every 12 months. They must continually use this inventory to identify vulnerabilities and software and hardware end-of-life, and document plans to address end-of-life (best practice until 2025).
• Validate their PCI scope every 12 months or on significant changes to the environment (effective immediately).
• Review and update their security awareness program every 12 months to ensure it’s current. Update content should include new threats and vulnerabilities affecting the cardholder data environment to ensure personnel know their roles in protecting cardholder data (best practice until 2025).
• Include threats and vulnerabilities that affect cardholder data environment security in training, including the most common attacks – phishing and social engineering. Personnel should know how to detect, react to, and report potential attacks (best practice until 2025).
• Point to the responsibilities users have in training, as defined in an acceptable use policy (best practice until 2025).
• Include change and tamper detection mechanisms in their incident response plan and remediate threats when there are payment page security issues (best practice until 2025).
• Have incident response procedures to react if they detect PANs anywhere unexpected. Monitoring throughout the environment must check for PANs, and there must be a definition of where the PAN is expected, with plans on how to detect unexpected PAN use and respond to this (best practice until 2025).

In addition, incident response training can now occur on a schedule defined by targeted risk analysis instead of annually.