From 31 March 2024, version 3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS) is being retired. After this date, all assessments will need to be conducted against v4.0 of the Standard and, while some organisations have already transitioned, many are yet to do so. As a PCI DSS Qualified Security Assessor Company (QSAC), URM has already been involved with a number of organisations’ early transitions to PCI DSS v4.0, providing us with insight into some common mistakes and pitfalls organisations have faced when transitioning, as well as the areas of v4.0 that organisations have most frequently struggled to comply with.
In this blog, Alastair Stewart, Senior Consultant and QSA at URM, answers some common questions about v4.0 of the PCI DSS and provides detailed advice and guidance on how your organisation can prepare for a successful transition. The blog is based on the transcript of a webinar 'Transitioning to PCI DSS v4.0' which was delivered in 2024 by Alastair and Martin Jones, Director at URM. In the webinar, Alastair and Martin discussed the changes that have been made to the PCI DSS in v4.0, how organisations can meet the new and updated requirements, and some lessons learned from the early transitions to v4.0 that URM has supported and facilitated.
What lessons have we learnt from early PCI DSS v4.0 transitions?
We find the organisations with the smoothest and easiest transitions are those that have mature, robust PCI DSS processes and policies which have been effectively implemented and monitored. In these cases, introducing the new requirements becomes relatively simple as all you will need to do is determine how you will meet that requirement and build a new process to facilitate this. If you have a strong understanding of how your existing processes work, you will find it easier to add to them in order to meet a new requirement, integrate new processes, or build a new process for the same team to manage, helping members of your organsiation get on board with the changes and mitigating the level of disruption your transition will cause.
We have also found having a small, static PCI DSS environment will help organisations achieve a successful and more straightforward transition. Reducing the size of your PCI DSS scope is something we will recommend in general as the smaller and more stable your environment is, the easier it will be to comply with the Standard. A smaller environment will see less frequent changes, and therefore fewer opportunities for something to be forgotten and for areas of noncompliance to unexpectedly appear.
Finally, it’s important to have a means of securely sharing evidence, as there is now a greater emphasis on certifying organisations sharing evidence with their assessors. Under previous versions of the Standard, QSAs would need to collect screenshots, samples etc. as evidence of your PCI DSS compliance, however the Payment Card Industry Security Standards Council (PCI SSC) now wants assessors to collect much more evidence than they used to. For example, if your assessor states in the Report on Compliance (RoC) that they have viewed a process, they will now need to supply evidence that they have seen it, which you will need to provide. As such, having the ability to quickly and securely share files and documents will be extremely valuable for increasing the efficiency of your assessment.
How will the changes to evidencing compliance in PCI DSS v4.0 impact your assessment planning and preparation?
Effective planning and preparation prior to your PCI DSS assessment is always essential, however this is especially true of v4.0 transition assessments due to the changes that have been made to the way evidence is collected for the RoC. While RoCs to previous versions of the Standard were focused on the QSA providing narrative descriptions of assessments, for v4.0 RoCs QSAs will need to provide detailed descriptions of evidence which is then referenced to demonstrate how the certifying organisation has met each requirement. For a detailed explanation of how evidencing compliance in PCI DSS assessments has changed, see our blog on What are the Key New Requirements with PCI DSS 4.0.
Because of these changes, planning from an evidence rather than an assessment perspective may make it easier for you to shift your assessment to the v4.0 approach. In practice these changes may, for example, impact the way your assessor wants to interview individuals about specific processes. Previously, QSAs would tend to be led by requirements in their approach to conducting interviews, i.e. starting with requirement 1, installing and maintaining firewalls, and speaking to the individual(s) responsible for managing firewalls, then moving to requirement 2, etc.
Now, it makes more sense for your QSA to outline which systems, processes, policies etc. need to be discussed, and for your organisation to allocate personnel to each section. When an individual or team has been allocated to multiple sections, each can be addressed within a single, longer session. This will require you to plan, in advance of the assessment, who will be responsible for supplying each piece of evidence, and how sections can be grouped together to achieve maximum efficiency.
How long does it take to conduct a PCI DSS QSA assessment?
It’s difficult to provide a figure regarding a ‘typical’ assessment as there is a lot of variation in the amount of time assessments can take. 10-14 days should cover most assessments, however we conduct assessments that are completed in 3 days and some that take 3 months.
What are acceptable forms of multi-factor authentication (MFA) for PCI DSS v4.0?
While the use of MFA in some circumstances was a requirement in previous versions of the PCI DSS, in v4.0 the areas where its use is mandatory has been expanded. To learn more about the changes to MFA requirements in PCI DSS v4.0, read our blog on What are the Key New Requirements with PCI DSS 4.0.
Essentially all forms of MFA are compliant with PCI DSS v4.0. Token-based authenticator applications for mobiles, biometrics (fingerprints, facial recognition, iris scanners, etc.) and certificates, as well as anything the National Institute of Standards and Technology (NIST) or the UK Government recommend, are all valid forms of MFA. However, SMS-based tokens are noncompliant due to the ease with which an SMS message can be intercepted and/or spoofed.
If you develop applications that interact with the cardholder data environment (CDE), do these applications need MFA to be compliant with PCI DSS v4.0?
In general, if the application is considered part of the CDE within the scope then any non-consumer users of that application would need to MFA to access it. Also, if the application itself has accounts that it uses to access other CDE devices, often called 'system-to-system' accounts (the PCI DSS refers to these as service accounts), then while these service accounts don't need to MFA there are a large number of new requirements around the control and management of these service accounts.
Have the requirements around password length changed in PCI DSS v4.0?
Yes, the minimum password length has been increased from 7 to 12 characters.
If you outsource all payment processing to third parties, do you no longer have to comply with PCI DSS v4.0?
No, you will still need to comply. If your organisation takes payments from any of the major card brands, your organisation will be contractually obligated by its bank to comply with the Standard. If you outsource all of your payment processing, this will mean you are on Self-Assessment Questionnaire (SAQ) A and are responsible for making sure that your suppliers are fully compliant with the Standard. Ultimately, while you can outsource the knowledge and work required to comply with the PCI DSS, you cannot outsource your responsibility.
If your scope changes between assessments, (e.g., you start taking payments over the phone) will you need to recertify to the PCI DSS?
Technically, you do not recertify but are instead reassessed against the PCI DSS. Compliance with the PCI DSS should be a continuous aspect of business-as-usual operations, and the assessment is simply a snapshot in time which demonstrates that this is the case, rather than an official certification sign off which has an expiry date. As such, even if your scope changes drastically between assessments this should not invalidate your compliance, as you should always be compliant with the Standard.
However, scope changes, such as starting to take payments over the phone, may constitute a significant change. There are a number of requirements which outline what you need to do following a significant change including penetration testing, vulnerability scanning, updating documentation, reassessing scope, etc. During your next annual assessment, your assessor will look at everything you did to check you maintained compliance throughout that change.
Are there any tools available to help you comply with the new script integrity checking requirement in PCI DSS v4.0?
The new version of the Standard has introduced Requirement 6.4.3 which, among other things, dictates that certified organisations must check the integrity of scripts on their payment pages; for further information about Requirement 6.4.3, URM’s How to Meet Key New PCI DSS 4.0 Requirements blog provides in-depth guidance on the new requirement and how to meet it.
There are a variety of tools available on the internet which can assist you to meet this requirement, however we would strongly recommend you remain wary of marketing claims about what the product can do, as these aren’t always accurate. For example, a product may claim to be able to ‘make you PCI DSS compliant’; unfortunately, this will never be true. While a product may make compliance easier, no tool, product or service will be able to make you compliant by itself. If you do decide to utilise tools, ensure you have a comprehensive understanding of which requirement that tool will help you meet, and what you will need to do to use that tool in a way that helps facilitate compliance.
How URM can Help?
Having already supported and assessed a number of organisations’ transitions to PCI DSS v4.0, URM possesses the necessary understanding of and experience with the Standard to help your organisation navigate its initial PCI DSS certification, v4.0 transition, or ongoing PCI compliance. Our large team of PCI DSS consultants can offer a range of services to assist you prepare for assessment, including a scoping service to help your organisation define the most appropriate and streamlined assessment scope, and conducting gap analyses of your current practices against the requirements of the Standard. Having established your current level of compliance and identified the most suitable assessment scope, URM’s PCI DSS consultant can assist with any remediation or implementation activities necessary to allow you to achieve and maintain compliance.
When you are ready to assess, URM can offer a range of PCI DSS audit services, from which you can select those that are most appropriate for your organisation. Before the audit takes place, URM’s QSAs can work with you to conduct a readiness assessment of your in-scope environment, providing you with the opportunity to proactively identify and remediate any issues which could prevent you from achieving compliance before you are formally assessed. We can facilitate and support your assessment by providing a QSA-led RoC, QSA supported SAQ or advise you if you would like to complete the SAQ yourself. Following your successful certification, we can also conduct regular penetration testing and vulnerability scanning in line with PCI DSS requirements, with URM’s status as a CREST-accredited organisation verifying the reliability and trustworthiness of these services.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.
URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.
URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.