Act Now on PCI DSS v4.0 Future-dated Requirements

On March 31, 2024, PCI DSS v4.0 became the active version of the standard as v3.2.1 was officially retired. Organizations seeking to obtain or maintain their PCI DSS certification must comply with the requirements in v4.0.  The updated standard includes dozens of new requirements. Most of the new requirements are future-dated for March 31, 2025, meaning organizations are not required to have controls in place to meet those requirements until that date. Several of the new requirements did go into effect in March 2024.

The PCI Security Standards Council published this Summary of Changes document that identifies the new requirements in v4.0 and which requirements are future-dated.

Comply with Future-dated Requirements ASAP

Do not procrastinate when it comes to the PCI DSS v4.0 future-dated requirements. March 2025 will be here before you know it and not having the required security controls in place could jeopardize your certification.

Organizations should have already identified the new requirements they are not currently meeting.  If you haven’t, perform a gap assessment against the future-dated requirements as soon as possible.

Start designing security controls, policies, and procedures to satisfy those identified requirements. Test that your new controls are effective, make any necessary adjustments, and implement them. The longer these controls are operational before your next PCI DSS audit, the better. The additional time will be valuable for identifying and fixing any inefficiencies or errors.

Being able to demonstrate to customers and prospects that your business was an early adopter of PCI DSS v4.0 will show a commitment to data security which could elevate you above the competition.

PCI DSS v4.0 Future-dated Requirements to Prioritize

The different PCI DSS security controls require different levels of effort. Here are some of the new future-dated requirements that could be a heavier lift for your organization. You may want to prioritize these controls if you haven’t already addressed them.

Targeted Risk Analysis (Requirement 12.3.1): Perform a targeted risk analysis for any PCI DSS requirement that provides flexibility for how frequently it is performed.

This requires organizations to have a robust risk management process. Conducting consistent and effective risk analyses, particularly for specific technical controls, can be resource-intensive and may require specialized knowledge.

Authentication Requirements (Requirement 8): There are multiple new requirements regarding password security, length, how often passwords must be changed, and multi-factor authentication.

Implementing these enhanced authentication mechanisms can be complex, especially in environments where legacy systems are involved. Ensuring all systems comply and managing user experience without reducing security can be difficult.

Increased Logging and Monitoring (Requirement 10.4.1): Use automated mechanisms to perform audit log reviews and a targeted risk analysis is required to define the frequency of periodic log reviews for all system components.

This requires advanced security information and event management (SIEM) systems and processes. Organizations must ensure that they can manage and analyze the increased volume of log data effectively, which may require additional investments in technology and skilled personnel.

Encryption and Key Management (Requirement 3.5.1): Stricter requirements for encryption and cryptographic key management.

Upgrading existing encryption systems and ensuring secure key management processes can be complex and costly. Organizations may need to replace or upgrade legacy systems to meet these new requirements.

Continuous Monitoring and Detection Processes (Requirement 11.6.1): Deploy a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser.

This requires organizations to adopt more advanced monitoring tools and techniques, potentially involving significant changes to their existing security operations. Maintaining continuous monitoring around the clock also demands skilled personnel and adequate resources.

Advanced Anti-Malware Controls (Requirement 5.2.3): Define the frequency of periodic evaluations of system components not at risk for malware in the entity’s targeted risk analysis

Implementing these advanced controls may require significant upgrades to existing anti-malware solutions, along with ensuring compatibility with all systems and applications in the environment.

Security Awareness Training for All Personnel (Requirement 12.6.3): Security awareness training must include awareness of threats and vulnerabilities that could impact the security of the CDE and awareness about the acceptable use of end-user technologies.

Developing and maintaining an effective security awareness program that meets these enhanced requirements can be difficult, especially in large organizations. Ensuring that training is relevant, engaging, and regularly updated requires ongoing effort and resources.

Download this spreadsheet to see all the future-dated requirements.

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our experienced consultants can help design and implement the controls needed to secure and maintain PCI DSS certification. Please reach out to us at connect@compliancepoint.com to learn more about our PCI services.