Nº02

February 2024

Understanding PCI DSS 4.0 

Find out the basics behind this update and how to navigate changes

As emerging technologies continue to evolve the digital landscape, so must all the regulations needed to keep everyone and their critical data safe and secure. And we’re seeing a lot of regulatory updates lately.  

Nenad Brozović

Head of Nexi Group Cyber Security Certifications

The latest update to the Payment Card Industry Data Security Standard (PCI DSS) has long been underway with initial announcements of the changes in March 2022. Compliance with PCI DSS is required for all businesses that process, store, or transmit credit card data, so it’s important to pay attention.   

This is a brief reminder that the requirements for adopting v4.0 become effective in the coming months and a basic list of what’s changing.  

To provide businesses with ample time to adapt, PCI DSS v3.2.1 has remained active for two years after v4.0 was originally published. This transition period will soon come to a close on March 31, 2024.  

“As of March 31, 2024, PCI DSS v3.2.1 will be retired, and v4.0 will become the only active version of the standard”

Lauren Holloway – Director of Data Security Standards at the PCI Security Standards Council

Review the rest of this information straight from the source in the Countdown to PCI DSS v4.0.

 

Indepth about version 4.0

One major difference between these versions is that now v4.0 allows a business to use a combination of approaches for how they handle security requirements. Specifically, PCI DSS v4.0 offers two approaches: the Defined Approach and the Customized Approach.

1. The Defined Approach

The Defined Approach is the traditional approach to PCI DSS compliance. Under this approach, businesses must implement security controls that meet the specific requirements of the PCI DSS standard. Assessors will then test these controls to verify that they are effective. If any exceptions are found, businesses can use compensating controls to mitigate the risk. 

2. The Customized Approach

The Customized Approach is a new approach to PCI DSS compliance that is more flexible, but also a bit more complicated. Under this approach, businesses can implement controls that meet the stated objective of each PCI DSS requirement, even if they do not strictly follow the defined requirement.

However, businesses must be able to demonstrate to assessors that their customized controls are effective in meeting the objective of the requirement. 

Related Article

Other primary changes to this version include: 

  • Broader applicability for encrypting cardholder data on trusted networks, making it essential for organizations to encrypt cardholder data at all points during the transmission on internal network zones. 
  • Greater frequency of testing of critical controls, requiring businesses to test critical controls more often to ensure that they are effective. 
  • Added flexibility and support of additional methodologies to achieve security.  

“PCI DSS v4.0 elevates payment card security by prioritizing continuous and more proactive measures. It integrates with evolving technologies and introduces risk-based approach. These core changes ensure organizations maintain a robust defense against cyber threats and safeguard customer account data.”

Nenad Brozović, Head of Nexi Group Cyber Security Certifications