The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the payment card industry to help protect against payment card fraud. The PCI DSS 4.0 is the latest version of these standards and includes several updates and changes. In this article, we’ll provide an overview of what you need to know about PCI DSS 4.0.
Changes in PCI DSS 4.0
The PCI DSS 4.0 includes several changes from the previous version, 3.2.1. Some of the key changes include:
- Personalized approach for validation of requirements
- Targeted risk analysis for critical requirements
- Stricter requirements for passwords and multi-factor authentication (MFA)
- Automated technical solutions for detecting and preventing web-based attacks
- Automated mechanisms for reviewing audit logs
- Internal vulnerability analysis through authenticated scans
Personalized Approach for Validation of Requirements
One of the major changes in PCI DSS 4.0 is the introduction of a personalized approach for validation of requirements. This new approach allows organizations to design their own controls and security standards to meet the PCI DSS 4.0 requirements. Companies can use new security approaches that differ from those described in the traditional PCI requirements, providing an alternative way to meet PCI DSS requirements.
However, when using the personalized approach, a Qualified Security Assessor (QSA) must examine and determine if the custom controls defined by the client are acceptable to comply with the described requirements. Despite this, it provides benefits for the client and the ability to verify compliance with the requirements satisfactorily.
Stricter Requirements for Passwords and MFA
Another significant change in PCI DSS 4.0 is the stricter requirements for passwords and multi-factor authentication (MFA). Organizations must implement MFA for all personnel with non-console administrative access to systems handling cardholder data. The new requirements provide detailed guidelines for password creation and management, such as requiring a minimum password length of at least 10 characters.
Automated Technical Solutions for Detecting Web-Based Attacks
It is now requires to implemente automated technical solutions for detecting and preventing web-based attacks on public-facing web applications. The solution must continuously detect and prevent web-based attacks, such as cross-site scripting (XSS) and SQL injection attacks. This is a critical requirement, as web-based attacks are becoming increasingly prevalent and sophisticated.
Targeted Risk Analysis for Critical Requirements
The Security Framework introduces targeted risk analysis for critical requirements. This means that organizations must conduct a risk analysis to identify the most critical requirements, and then prioritize them accordingly. This is also known as risk-based vulnerability management. This will help organizations focus their resources on the most significant areas of risk and ensure that they are adequately protected.
Internal Vulnerability Analysis through Authenticated Scans
To better protect against internal threats, PCI DSS 4.0 requires organizations to perform internal vulnerability analysis through authenticated scans. Authenticated scans are an effective way to identify vulnerabilities in the organization’s internal systems and applications.
Compliance Deadline
The deadline for full adoption of PCI DSS 4.0 is March 31, 2025. However, it’s essential for organizations to begin making the necessary transitions now to ensure compliance by the deadline.
Conclusion
PCI DSS 4.0 introduces several changes to the previous version, including a personalized approach for validation of requirements, stricter requirements for passwords and multi-factor authentication, and targeted risk analysis for critical requirements. Organizations should start making the necessary changes now to ensure compliance by the March 31, 2025 deadline.
To help you transition smoothly to PCI DSS 4.0, contact XRATOR Expert Team in Vulnerability Management and Compliance Automation.
Cybercrime
Cyber Attacks