The PCI DSS (Payment Card Industry Data Security Standard) is a cybersecurity standard aimed at maximizing the protection of card data during its storage, processing or transmission. PCI DSS was developed in December 2004 with the joint participation of five global payment card corporations: Visa, MasterCard, American Express, Discover Financial Services and JCB International.

PCI DSS version 4.0 was just released to improve the legacy requirements of version 3.2.1 (developed from 2016-2018). It also contains totally new requirements, which are in line with the current realities of cyber threats. Though the structure has remained unchanged, 12 sections contain precise requirements (259 in fact).

However, we’d like to start with something else. Namely, the time frame for version 4.0 to become mandatory. From the second quarter (April 1) of 2024 onwards, version 3.2.1 will become obsolete. Accordingly, if a company undergoes a scheduled recertification by the end of the first quarter of 2024, it can still pass version 3.2.1.

In addition, as was once the case with version 3.2, version 4.0 has “best practice” requirements that become mandatory only after March 31, 2025 (prior to this date they are only recommendations). Almost all new requirements are also recommendations.

So, what exactly is new in PCI DSS 4.0? 
To begin with, each section was updated with a mandatory requirement to document and describe the roles of all employees in the company who are involved in requirement implementation.
The first and second sections have no specific changes.
Seven new requirements have been added to the third section (apart from the requirement on roles and responsibilities). In summary:
• the requirements for using hashes have been separately described (the same as they were before encryption);
• not only service providers need to document encryption architecture;
• masking in the BIN*4 instead of the 6*4 format is now allowed.

Only two new requirements have been added to the fourth section. One requires the implementation of an inventory of all trusted keys and certificates, which are used to protect the full card number during its transmission. Requirements were also added to the certificates used to protect the full card number when it is transmitted over public networks.

The fifth section has five new requirements that seem emblematic. It is in the fifth section that the concept of “targeted risk analysis” — a new concept for the PCI DSS — first appears.

Version 4.0 suggests that companies fill out a table, the template of which is provided in the new version, showing a particular risk analysis and conclusions concerning risk assumption, offsetting, or aversion, etc. Filling out this table is required to determine the periodicity and frequency of system scanning with antivirus tools as well as the frequency of checks for systems considered to be immune to virus threats.
The fifth section also stipulates that antivirus programs must now scan all removable media and that companies must also organize phishing protection.

The sixth section has three new requirements. A registry of all user and third-party software must be created and maintained. Owners of card payment system webpages must also maintain a list of all scripts on this page, specifying the need for each of them. WAF is now mandatory.

The seventh section contains three new requirements. Biannual validity checks for all accounts have been introduced and requirements for technical and service accounts have been separately defined.
The eighth section contains five new requirements. These concern mostly multifactor authentication. There are also requirements proposed for accounts that can be used for interactive login.

Just one new requirement has been added to the ninth section. POI devices for counterfeiting must be checked with a regularity determined by “targeted risk analysis” from now on.

The tenth section has three new requirements. They specify the mandatory use of automated log verification mechanisms starting in 2025.

The eleventh section has five new requirements. They express the nature of and procedure for internal vulnerability scanning (which should only be conducted by authorized users) and also add that IDS/IPS systems should detect and eliminate covert channels of malware transmission. The concept of “multi-tenant service providers” was also introduced to include data centers and cloud providers, all of which will have to undergo additional scrutiny under Annex A1.

The twelfth section is the last and most important in terms of new requirements (there are thirteen of them). Two are mandatory as early as 2024: the need to conduct the aforementioned “targeted risk analysis” at least once a year and keep the documented description of the compliance area up to date, as well as conduct an audit at least once a year or whenever the environment changes significantly. All the other new requirements also focus mainly on documenting some aspect of the company’s compliance with the PCI DSS.

In summary, PCI DSS version 4.0 focuses on modern issues and methods; it has broader wording than its predecessors, but is more demanding as well. However, a year of transition, when version 4.0 is mandatory but almost all the new requirements are recommendations, will allow companies to prepare accordingly and implement them gradually.

Link to the text of PCI DSS v4.0:
https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
Link to the description of changes in the PCI DSS v4.0 standard compared to v3.2.1:
https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r2.pdf