The Payment Card Industry Security Standards Council (PCI SSC) is set to roll out PCI Data Security Standard version 4.0 (PCI 4.0) on March 31 with an overarching goal of enhancing industry security practices in response to evolving cyber threats.  

For the last 25 years, S3 Security experts have worked side-by-side with clients to help maintain compliance and protect against cyber attacks. We’ve been a trusted partner for payment card security including Visa, Master Card and American Express since 2001, and a QSA/ASV firm since 2004 when the Payment Card Industry Security Standards Council was first established. 

In short, S3 Security is committed to providing straightforward guidance for proactive cyber security programs that support business goals, build trust and deliver peace of mind. So, this white paper is just the first step in helping you in navigate changes in the New PCI 4.0 Data Security Standard. 

1. Adaptative Security Practices 

Continue to meet the security needs of the payment industry through practices that evolve as threats change. This includes embracing multi-factor authentication, updating password/passphrase requirements and addressing emerging threats involving e-commerce and phishing. 

 2. Promote Security as a Continuous Process 

Recognize cybersecurity as an ongoing commitment. Clearly defined roles and responsibilities, comprehensive guidance, integrated risk analysis and new reporting options ensure a proactive approach to safeguarding payment data. 

 3. Enhanced Flexibility for Innovation 

PCI 4.0 fosters adaptability by increasing flexibility to achieve security objectives. This includes supporting payment technology innovation with features like targeted risk analysis which enables organizations to establish frequencies for specific activities.  

Moreover, PCI 4.0 allows for a customized approach to fulfill requirement objectives, accommodating organizations leveraging innovative methods. It also permits group, shared and generic accounts to provide additional flexibility in meeting compliance requirements. 

• Significant Change Guidance
  Clarification on what constitutes a significant change for PCI. 

• Roles and Responsibilities
  Expanded documentation of roles and responsibilities for performing activities related to all 12 requirements. 

• Scope Confirmation
  Entities must document and confirm PCI DSS scope at least every 12 months and upon significant change to the in-scope environment.  

• Timeframe Expectations
  Streamlined timeframes for more explicit compliance expectations. Changes now reflect the set number of days (1 day vs. daily, 7 days vs. weekly, 30 days vs. monthly, 90 days vs. quarterly, etc.)

• PCI 4.0 Templates Increased Length
  Lengthier templates provide a comprehensive documentation framework, and these templates can sometimes be twice the length of PCI 3.2.1 counterparts.
• Target Risk Assessments (TRA)
  New TRAs are required for all PCI requirements where entities define the frequency of control activities (nine new requirements).
   
• Build/Maintain a Secure Network and Systems
  Replaced “firewalls” and “routers” with “network security controls” for a broader security technology scope. 

• Third-Party Service Providers (TPSP)
  New requirements for TPSP to enhance transparency and support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP (12.8.4 & 12.8.5). 

PCI 4.0 challenges organizations to enhance their security posture. Mature IT security environments have a head start, but others must upgrade to meet the new requirements.  

Decisions for changes effective March 31, 2025, need careful consideration, as budgetary allocations for 2024 may be necessary for a seamless transition. For example, increasing the password length to 12 may require the replacement of applications that handle credit card information—processing, storing, or transmitting it—to comply with this requirement. 

PCI 4.0 is fast approaching and will become mandatory within a short timeframe. If your organization falls under the compliance mandate, it’s crucial to plan proactively and take action to meet the requirements set for March 31, 2024, while gearing up for the subsequent changes scheduled for March 31, 2025.  

These changes will impact how you do business – and may take significant effort – but the payoff goes far beyond a stamp of approval. 

PCI 4.0 is not just a mandate; it’s an opportunity to bolster your organization’s security infrastructure. Partner with us to seamlessly transition into the future of payment security, ensuring you’re compliant and resilient in the face of evolving threats.