Merchants and supporting service providers will see significant changes in their security requirements and PCI compliance reporting obligations. In March, the PCI Security Standards Council issued version 4.0 of the Data Security Standard, introducing sweeping changes and clarification of prior language regarding the protection of credit cardholder data.
The PCI Security Standards Council noted this update was needed “to address evolving risks and threats to payment data, to reinforce security as a continuous process, and to support organization using different security technologies that meet the intent of PCI DSS requirements.”1
While some of the requirements will remain best practices until March 31, 2025, other requirements must be implemented immediately in order for organizations to remain compliant with PCI requirements.
The guidance has been enhanced to bring clarity around existing security requirements, as well as introduce new requirements to address evolving security threats to cardholder data.
It should also be noted that the reporting structure for PCI DSS assessment will change. Reporting templates reflect the new requirements, as well as the new clarity to compliance testing procedures. For more information and clarity on the PCI Compliance changes, please view FORVIS’ PCI Compliance Spring Webinar.
Top 10 Changes to PCI DSS v4.0
FORVIS has identified the following immediate priorities that merchants and service providers should begin to address in their PCI compliance programs:
- Documented PCI Scope: Entities must document and review hardware and software technologies at least every 12 months. This includes identifying all systems and software included within the organization’s cardholder data environment. Formal signoff of the scope and findings must be documented.
- Targeted Risk Analysis: An entity must perform a targeted risk analysis, as defined by the Security Standards Council, for various PCI requirements. This analysis will help document the frequency of key security tasks that must be performed, including:
- Frequency of malware scans
- Frequency of evaluations of systems not typically affected by malware
- Procedures for inspecting point of interaction (POI) devices for tampering, as well as the required frequency of these inspections
- Documenting Compliance Roles and Responsibilities: Roles and responsibilities for performing each PCI requirement activity must be documented in corporate policy.
- Authenticated Internal Vulnerability Scans: Internal scans must now be performed via “authenticated” methods, essentially assuming that authorized user credentials have been compromised. An “authenticated” vulnerability scan provides the organization with deeper insight into a system as it can gather more detailed information about operating system and software vulnerabilities.
- Vulnerability Scan Frequency: While internal vulnerability scans were previously required no less than quarterly, an organization is now permitted to schedule an internal vulnerability scan cadence based upon its own assessment of risk. Additionally, assessors were previously required to review one scan from each quarter, withholding any rescans that may be needed. Rescans should be performed as your internal policy dictates. Version 4.0 requires that the assessor review the scans based upon the frequency defined in the organization’s policy.
- Password Parameters:
- The minimum number of characters required for in-scope systems is increasing from seven to 12.
- The number of failed login attempts before a user is locked out of an account associated with the cardholder data environment (CDE) will increase from six to 10 attempts.
- Multi-Factor Authentication (MFA): MFA must be in place for all general user and administrative logins, including local network and system access, as well as remote access.
- Anti-Phishing Technologies: The Security Standards Council has acknowledged the most common cyberattacks involve social engineering and will now require organizations to implement anti-phishing programs or procedures to protect end users from compromising their own credentials.
- User Access Reviews: Entities must now review all user accounts and related access privileges for applications within the cardholder data environment to validate the account. This review must be documented, include explicit approval, and be available for your assessor’s review.
- Wireless Access Scanning: All entities must scan their environment for unauthorized wireless access points and document the performance of the scans as evidence for assessors. This is a clarification from the previous version of the Data Security Standard to ensure that wireless rogue scans are performed regardless of whether wireless is included by design within the CDE.
How FORVIS Can Help
The firm’s PCI Compliance Advisory Team offers cybersecurity, digital forensics, and compliance services to all industries. The firm is a PCI Qualified Security Assessor Company (QSAC) and provides assessment and advisory services for merchants and service providers of all sizes across the country. Our professionals work with clients to help build and adapt risk management capabilities and PCI compliance programs in times of significant growth and regulatory change.
Reach out to a professional at FORVIS or submit the Contact Us form below if you have any questions.