The Payment Card Industry Data Security Standard (PCI DSS) continues to evolve alongside technology. Version 4.0, released in March 2022, represents a significant step forward in the evolution of payment industry security standards, introducing new concepts and expanded requirements for payment card data protection.
Part 1: Evolution of PCI DSS and Transition to Version 4.0
In March 2022, the PCI SSC released a new version of the Payment Card Industry Data Security Standard – PCI DSS v4.0. This 360-page document marks a significant step forward in the evolution of payment industry security standards, introducing new concepts and expanded requirements.
The development of PCI DSS v4.0 was largely driven by industry feedback. The creation process involved three rounds of Request for Comments (RFC), generated over 6,000 pieces of feedback, and incorporated input from more than 200 companies. Given the scale of changes, the implementation of the new version will occur gradually over the next three years. The current version, PCI DSS v3.2.1, will remain active until March 31, 2024, allowing organizations to transition smoothly to the new requirements. Full implementation of all new requirements is scheduled for March 31, 2025.
The key feature of the new standard version is its flexibility. As technology continues to evolve rapidly and business processes transform, the new requirements are designed to “ensure the standard meets the security needs of the payment industry.” The standard supports a broader range of security methodologies and promotes the concept of security as a continuous rather than static process.
Part 2: Key Changes in Authentication and Access Management
Multi-Factor Authentication (MFA)
One of the most significant changes in version 4.0 is the expansion of multi-factor authentication requirements. Studies show that proper MFA implementation can prevent up to 99.9% of account compromise attacks. The new standard version requires MFA for all access to the Cardholder Data Environment (CDE), in addition to the existing MFA requirement for remote access from outside the organization’s network.
Passwords and Passphrases
Password requirements have undergone substantial changes. Considering the increased computing power of modern systems, the minimum password length has been increased from 7 to 12 characters. The requirement to change passwords every 90 days remains only for systems not using MFA.
Group and Shared Accounts
Unlike version 3.2.1, which completely prohibited the use of group and shared accounts, version 4.0 allows their use under proper management conditions. This includes:
– Limited duration of use
– Mandatory approval
– Ability to track individual user actions
– Regular usage auditing
Part 3: New Approaches to Compliance Assessment
Version 4.0 introduces two methods for validating compliance with standard requirements:
Defined Approach
This traditional method follows clearly defined PCI DSS requirements and testing procedures. It is optimal for organizations whose security systems are already aligned with current standard requirements.
Customized Approach
A new method focused on achieving security objectives rather than meeting specific technical requirements. It allows organizations to independently determine and implement control mechanisms to achieve the security objectives outlined in PCI DSS requirements.
Part 4: Payment Systems Technology Requirements
In the context of the new PCI DSS version, payment systems technology requirements have also evolved. Special attention is paid to the following aspects:
Infrastructure Requirements
– Mandatory primary and backup data centers with Tier III reliability or higher
– Geographic separation of data processing centers
– Redundant communication channels from different providers
– Minimum primary channel bandwidth of 1 Gbps
– Implementation of dynamic routing protocols (BGP, OSPF)
Performance Requirements
– Authorization request response time under 2 seconds
– Capability to process minimum 1,000 transactions per second
– System availability at 99.999%
– Maximum downtime of 5 minutes per year
Security Requirements
– Data encryption during transmission and storage
– Regular penetration testing
– Real-time security monitoring
– Mandatory encrypted backup
Part 5: Practical Implementation Aspects
Transitioning to the new standard version requires careful planning and preparation. Organizations are recommended to:
1. Conduct current security state analysis
2. Determine the most suitable compliance assessment approach
3. Develop a transition plan
4. Train personnel on new requirements
5. Update documentation and procedures
6. Test new control mechanisms
Implementation Timeline
The implementation timeline for PCI DSS v4.0 is structured to allow organizations adequate time for adaptation:
– March 2022 – PCI DSS v4.0 publication
– March 31, 2024 – PCI DSS v3.2.1 retirement
– March 31, 2025 – Future-dated new requirements become effective
Key Focus Areas for Organizations
Organizations should focus on several critical areas during the transition:
1. Assessment Methodology Selection
– Evaluate the benefits of both Defined and Customized approaches
– Consider organizational structure and existing security controls
– Determine resource requirements for each approach
2. Technology Infrastructure Updates
– Review current system capabilities
– Plan necessary upgrades for meeting new requirements
– Implement enhanced security controls
3. Documentation and Procedures
– Update security policies
– Revise operational procedures
– Create new documentation for customized approaches
4. Training and Awareness
– Develop training programs for new requirements
– Educate staff on changes in procedures
– Ensure awareness of new security objectives
Overall, the new version of PCI DSS reflects contemporary trends in information security and provides organizations with greater flexibility in choosing methods to protect cardholder data. The main principle remains unchanged – ensuring a high level of payment infrastructure security.
It’s important to remember that PCI DSS compliance is a continuous process, not a one-time event. Organizations should constantly monitor changes in standard requirements and adapt their security systems to new threats and challenges in a timely manner.
The transition to PCI DSS v4.0 represents a significant evolution in payment security standards, emphasizing flexibility while maintaining rigorous security controls. Organizations that begin preparing early and take a systematic approach to implementation will be better positioned to meet the new requirements effectively and maintain robust security for their payment systems.