PCI DSS 4.0 Requirements: What's New in the Latest Update

The Payment Card Industry Security Standards Council (PCI SSC) has officially launched the updated PCI DSS 4.0 standard. This new version brings significant changes aimed at enhancing security practices, promoting flexibility, and helping businesses better protect payment card data. Let’s dive into the updates, their implications, and why staying compliant is critical for your business.

The new PCI DSS 4.0 requirements focus on four main areas:
1. Maintaining High Security Standards in the Payment Industry
Security measures evolve alongside emerging threats. PCI DSS 4.0 emphasizes:

• Updated password requirements to align with modern security practices, such as length and complexity.
• Expanded multi-factor authentication (MFA) to cover more access points.
• Specific measures to combat phishing and other persistent cyber threats.

2. Promoting Security as an Ongoing Process
The new version introduces a focus on continuous security practices, often referred to as "security as a process". Key highlights include:

• Recommendations for frequent software updates and automated testing throughout the software development lifecycle.
• New reporting mechanisms to identify areas needing improvement, increasing transparency.
• Clearer role definitions to ensure accountability in implementing security measures.

3. Flexibility for Diverse Security Methods
PCI DSS 4.0 offers greater adaptability, making it easier for organizations to achieve compliance without hindering innovation. Notable changes include:

• Permission for group and shared accounts, provided strict requirements are met.
• Risk-based analysis allowing organizations to define action frequencies.
• More flexible ways to implement and validate compliance requirements.

4. Enhanced Reporting and Validation Processes
The revised reporting structure in PCI DSS 4.0 simplifies audits and improves transparency:

• Clear guidelines for the Report on Compliance (ROC) and the Self-Assessment Questionnaire (SAQ).
• Simplified yet detailed information presentation to make compliance easier to understand.

Criminals never miss a moment to attack and steal personal and bank card data. We need to constantly keep our finger on the pulse. Continuous security or "security as a process" includes timely software updates and automated tests at every stage of both development and operation of software. As practice shows, it is now becoming crucial for protecting payment data.

• Added guidance to help people better understand how to implement and maintain security.
• A new reporting option has been introduced to highlight areas for improvement and provide more transparency for reporting.
• Clear distribution of roles and responsibilities for each requirement.

Staying compliant with PCI DSS 4.0 is essential for businesses handling payment data. Non-compliance can result in penalties, loss of customer trust, and vulnerabilities to cyberattacks. Adopting these updates not only secures your payment systems but also enhances your reputation as a trustworthy organization.

At Scalesta, we provide hosting solutions that protect against malicious bots and cyberattacks while ensuring your systems meet the security tests necessary for PCI DSS certification.

The Payment Card Industry Data Security Standard (PCI DSS) is an international standard that provides a baseline for the technical and operational requirements for protecting payment data. PCI DSS v4.0 is the next evolution of the standard (note. the previous version is v3.2.1)