The Payment Card Industry Data Security Standard (PCI DSS) was passed in 2006 to protect cardholders by requiring organizations that process, store, or transmit their data to do so in a secure environment. The latest version of the PCI DSS—version 4.0—went into effect on March 31, 2024. Organizations have until March 31, 2025, to fully comply before PCI DSS 3.2.1 is officially retired.
Businesses must understand the key updates in PCI DSS 4.0 to be compliant and maintain a strong security posture. This article outlines the most critical changes and what financial organizations must do to meet the new standards. The latest version addresses areas of ambiguity to provide more precise guidance for protecting sensitive financial information.
Version 4.0 of the PCI DSS requires you to implement MFA for all access to the cardholder data environment (CDE), regardless of whether the user is internal or external. You need multiple methods to authenticate users to reduce the probability of a malicious actor gaining access to your system by mimicking a legitimate user. However, this doesn’t apply to accounts that perform automated tasks, and you don’t need to update point-of-sale terminals that only access one card number at a time during sales transactions.
The MFA requirements apply to CDE access by anyone outside your network and any remote access you allow to vendors or third parties. You may already be out of compliance if your organization hasn’t fully integrated MFA across cloud, hosted systems, and on-premises applications. Check your MFA setup to ensure it meets the updated criteria, including no bypass mechanisms and protection against replay attacks. They also apply to the following components of your system:
The new guidelines outline more stringent password requirements. Your passwords must be at least 12 characters long — up from seven in the previous version. Additionally, PCI DSS 4.0 now allows the use of passphrases as an alternative to traditional passwords. Passphrases must be at least 16 characters long and follow organization-defined complexity requirements, providing additional flexibility for secure authentication. If your system can’t support 12 characters, the minimum is eight. This only applies to passwords and phrases used in MFA.
If your customers only use one password to access their information, passwords need to be changed every 90 days. If they are not changed, you need to review them and prompt a change automatically. Also, passwords can’t be hard-coded into files or scripts used for interactive log-in.
The new PCI DSS updates require accountability around system and application accounts management by restricting interactive log-ins. If you use systems or applications for interactive log-ins, you need to:
Under Section 3 of the new guidelines, you must minimize the sensitive authentication data (SAD) you store before receiving authorization. Under PCI DSS 4.0, storing complete track data, CVV/CVC codes, and PINs after authorization is strictly prohibited. You need to define your standards in a company retention policy regarding what data you keep and how you dispose of it.
You must also review the information third-party service providers (TPSP) keep to ensure they meet the same standards. If stored data is kept longer than the policy permits, you must delete it or make it unrecoverable. To ensure compliance, consider using automated tools that monitor storage locations for unauthorized retention of sensitive data.
The updated guidance requires stricter controls when moving personal account numbers (PANs) with remote access technology such as a virtual desktop. You now have to implement technology that keeps unauthorized users from copying or relocating PANs from remote devices.
These new restrictions include:
The new PCI DSS version recognizes the rapid escalation of malware — including attacks on systems that were previously considered safe. By now, you should regularly evaluate your system components that aren’t typically at risk for malware attacks. The frequency of your review should depend on the risk profile of these seemingly safe infrastructure components.
You should also have a malware solution installed to protect removable electronic media. Your security tools should automatically scan the media when inserted, connected, or mounted. Alternatively, when removable media is inserted or attached, your solution can execute ongoing behavioral analysis of all systems and processes. Failure to implement behavioral analysis or automated malware scanning for removable media increases the risk of non-compliance and potential security breaches.
Given the complexity of most applications, it can be challenging to effectively manage vulnerabilities and patches. Version 4.0 aims to make this more methodical and thorough by using security tools that provide ongoing detection and prevention of web-based attacks. To simplify this task, you must identify and list all software components, including custom and third-party elements. Inventory tools that provide a software bill of materials (SBOM) will help. These can be incorporated with automated testing tools that regularly scan and analyze software for vulnerabilities and updates.
Along with the changes discussed above, the new PCI DSS standards require you to:
The PCI DSS standards reflect the need for stronger security measures, given the rapid acceleration of cyberattacks throughout the software supply chain. A multifaceted approach that includes enforcing strong passwords, implementing MFA for access to CDE, increasing barriers to malware, and better managing system accounts will strengthen your security posture.
Kiuwan’s security solutions can help you continuously monitor and manage compliance risks under PCI DSS 4.0. With real-time vulnerability detection, secure coding practices, and automated compliance monitoring, Kiuwan enables financial organizations to align with PCI DSS requirements. Reach out today to request a free demo.