PCI DSS v4 – Changes at a Glance

13 Jun

After several years wait, and to surprisingly little fanfare, the Payment Card Industry Security Standards Council (PCI SSC) released the new version of the PCI Data Security Standard (DSS) on 31 March 2022.  It has been 4 years since the last minor update (v3.2.1) and nearly 9 years since the last major update (v3.0).  Given the ever evolving risks and changes in the security landscape and technologies, it can be argued that the new release is long overdue.  The question is, what has changed and why is this classified as a major update?  So, here’s a brief summary of the key changes.

The Requirements

There have been a lot of minor clarifications, renumbering, and rearranging of the requirements within the Standard to make it flow better and easier to follow.  But there are also approximately 40 new requirements across a variety of areas including:

  • Increased requirements for multi-factor authentication across the scope
  • New requirements mandating the deployment of anti-phishing systems
  • Greatly expanded risk assessment requirements
  • Mandatory deployment of a web application firewall (WAF) for public-facing web applications
  • Change detection on HTTP headers of payment pages.

Customised Validations

This, in URM’s opinion, is what makes this update a major change.  The Council has introduced a completely new way for organisations to validate their PCI compliance status, calling it a ‘customised validation’.  Simply put, this is a new way to meet the intent of any given requirement, but with a control that you design and implement.

This provides your organisation with the flexibility to meet a requirement in a way that best suits you, however, it is not without its drawbacks.  A customised validation requires a great deal of effort from your organisation to design, document, detail, test, and maintain controls, much of which relies on you having a mature risk assessment process embedded within your operations and processes.

In short, customised validations are not for the faint hearted and require a significant resource investment to accomplish correctly, not to mention the increased level of effort required by your QSA to assess each customised validation as being compliant.

Additional Resources

On 7 April 2022, URM held a webinar that outlined some of the key changes within version 4 of the Standard and the implications of those changes. If you would like to access a recording of this webinar, please complete the form below and we will email you a link at the earliest opportunity, i.e. during normal office hours – Monday to Friday, 9 to 5:30.

Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thumbnail of the Blog Illustration
Information Security
Published on
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How to Meet Key New PCI DSS 4.0 Requirements

Meeting the new payment page requirements in PCI DSS v4.0 may seem tricky. URM provides detailed guidance on implementation and effective payment page security.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.