In addition to ISO 27002-2022, the long-awaited version of PCI DSS 4.0 was published, to which I provided comments, and 3 out of 5 recommendations were taken into account.
I did not find any data about separate requirements for long PANs and long BINs on standard PANs. And about the features of working with micro service architecture. But attention is paid to keys, data processing in memory and links to a more up-to-date PCI SSS instead of PA DSS. Which is also nice and timely.
Let’s take a closer look at what changes the standard has undergone, how the changes have been implemented and in what time frame they need to be implemented.
The new original version of the PCI DSS 4.0 standard has been published and is available here.
PCI DSS 4.0 changes compared to PCI DSS 3.2.1 are available in a separate document on the official website.
Well, let’s move on to the changes in the PCI DSS 4.0 standard.
The document contains the most structural changes made.
Section 3 briefly describes the changes in the introductory sections of PCI DSS 4.0.
Sufficiently correct wording about the prevalence of local regulation and the fact that some of the requirements can be applied directly to organizations that do not store PAN, etc.
Interoperability of PCI DSS with PA DSS and the now more current PCI SSC Software Standards (PCI SSS).
Section 4 describes the general changes between PCI DSS 3.2.1 and PCI DSS 4.0.
Section 5 compares in detail the changes between PCI DSS 3.2.1 and PCI DSS 4.0.
Contains a decent list of changes, the main of which as follows.
Section 1. Expanded range of network technologies. Clarified target for control between trusted and untrusted networks, including wireless networks. Detailed and expanded requirements. Part of the requirement items is decomposed.
Section 2. Requirement 2.1.2 is introduced regarding the description, acceptance and fulfillment of duties. Clarified requirements for insecure services and protocols.
Section 3. Significantly detailed requirements for storing critical data until authorization is completed (3.2.1, 3.3.2). Without a key operational need, only the last 4 digits are allowed to be displayed when masking. HASH requirements. Encryption at the disk or partition level, used only for removable media. Do not use the same keys for test and production environments.
Section 4. About registries of trusted keys and certificates, control of their validity periods.
Section 5. Extended requirements and language for antivirus software, risk assessment considerations, and even protection against phishing attacks.
Section 6. Separated software for internal and third-party use. Contains a requirement for the software registry. Threat mitigation requirements for public Web applications. Requirements for scripts on payment pages.
Section 7. New Requirements for Access and Account Verification.
Section 8. Separately, the requirements for terminals of points of sale are highlighted. Requirement to increase password length from 7 to 12 characters. Separately, reduced requirements for point of sale terminals are indicated (in case of simultaneous access to only 1 PAN).
Requirement to implement Multi-Factor Authentication (MFA) for all types of access in CDE. Prohibit hardcoding passwords in files and scripts.
Section 9. Requirements for visitors are highlighted separately. Changed requirements for storage, accounting and destruction of media.
Section 10. Requires the use of automatic mechanisms to conduct checks on audit logs. Target risk analysis. Detect, prevent and quickly fix failures of critical security control systems.
Section 11. Requirement to conduct internal scans with authentication. The requirement to manage all found vulnerabilities (not just critical ones). Requirements for detecting changes in the content of payment pages. Detection of covert data transmission channels.
Section 12. Changes to risk assessment, requirement for targeted risk analysis. For service providers, document and confirm the scope of the PCI DSS at least every 6 months. A requirement to update the awareness program every 12 months. The frequency of staff training should be based on the risk analysis performed.
Of particular interest are the requirements of 12.8. In particular, 12.8.1-12.8.5 “The use of a PCI DSS compliant TPSP does not make an organization PCI DSS compliant and does not remove its responsibility for PCI DSS compliance.”
Appendix A1-A3 with a description of the changes by analogy with sections of the standard, as well as a table summarizing the new requirements for all organizations or just service providers. Where it is indicated by what date the above requirements must be met – immediately or from March 31, 2025.
In general, PCI DSS has become noticeably larger. PCI DSS 3.2.1 contains 180 pages, while PCI DSS 4.0 is already 360. There is a higher level of detail, more attention to the risk-based approach, categorization of requirements and data. A number of new requirements and checks have been added.
