On March 31, 2022, the Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS 4.0). The new version—which brings major changes to the payments ecosystem—places an increased focus on targeted risk analysis, organizational maturity and governance. It also makes PCI DSS compliance a continuous effort, rather than an annual snapshot exercise, and introduces a customized approach to PCI assessments, enabling businesses to implement alternative technical and administrative controls that meet the customized approach objective.
Merchants, service providers, issuers, acquirers, and any other businesses that store, process, or transmit payment cardholder data should begin planning for PCI DSS 4.0. Implementing PCI DSS 4.0 will require structural changes that go beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0’s obligations. PCI assessments under version 4.0 will require more security documentation, risk analysis and affirmative statements than before, exposing the company’s security posture to greater scrutiny.
Because of the complexity of the new requirements and the time required to implement structural changes, companies should begin addressing and internally validating compliance in advance of an assessment by their qualified security assessor (QSA). Businesses should consider whether to involve legal counsel and other consultants (under privilege) in this assessment and other aspects of their transition to PCI DSS 4.0, including for purposes of encouraging full and open communication and consideration of risks and exposure.
WHAT’S NEW IN PCI DSS 4.0?
PCI DSS 4.0 is an extensive change to the previous version of PCI DSS; some of the significant changes are included below.
Increased Requirements for Yearly Diligence for Merchants and Service Providers
PCI DSS 4.0 increases the requirements for periodic diligence of merchants and service providers by adding several new controls. These include:
At least every 12 months and upon a significant change, document and confirm the PCI DSS scope of the in-scope environment (PCI DSS 12.5.2) with additional documentation requirements for service providers (PCI DSS 184.108.40.206-2);
Target risk analysis for any controls that use the customized approach at least every 12 months with written approvals by senior management (PCI DSS 13.3.2);
At least an annual risk analysis for any controls that have flexibility for the frequency of controls (PCI DSS 13.3.1, Best Practice until 2025);
At least an annual review of cipher suites and protocols (PCI DSS 12.3.3, Best Practice Until 2025); and
At least an annual review of hardware and software technologies in use with a plan to remediate outdated technologies approved by senior management (PCI DSS 12.3.4, Best Practice Until 2025).
These additional annual diligence requirements will take time and effort to establish. Additionally, merchants and service providers may want to experience building these new processes well in advance of having to rely on them for PCI DSS compliance through their report Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) processes and QSA oversight. Starting sooner rather than later will be key to pragmatic results by allowing at least one practice cycle of these assessment prior to relying on them for PCI DSS compliance.
New Customized Approach
When merchants and service providers could not meet the prescriptive controls of PCI DSS 3.2.1, they would need to propose a compensating control and justify it with a risk assessment and a compensating control worksheet (CCW). In PCI DSS 4.0, this option still exists, but there is also a new option for a customized control approach. This customized approach still retains the requirement to evaluate risk, but it allows for a more strategic pathway to meet a control. Instead of compensating for the lack of a control, the customized approach allows the merchant or service provider to document a different control based on the objective of the control that is being customized. This customized control will then be assessed by the assessor in place of the control that is being substituted, allowing for a long-term customization rather than a shorter-term “compensating” control. (Note: Not all controls are eligible for the customized approach; notably, PCI DSS 3.3.1 prohibits storage of sensitive authentication data (SAD) after authorization.)
Expanded Risk Analysis Guidance
PCI DSS 4.0 has also provided expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, significantly used as part of the compensating control worksheet. In this new version, there is a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). While this is not required to be used, the template provides more information on how the PCI Security Council expects a risk analysis to be carried out.
Clarifications to “Significant Change” Standard
PCI DSS 4.0 has clarified some key PCI DSS concepts, including a more fulsome description of a “significant change” which was not specifically defined in prior versions in PCI DSS. While there is not an exact definition in this latest version, PCI DSS does provide descriptions and examples of what a significant change is (PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements). This is important because of the many interim changes, adaptations and updates (especially in the mobile payments industry) in the United States and in other countries (such as India).
WHEN DOES PCI DSS 4.0 TAKE EFFECT?
PCI DSS 4.0 will remain optional until March 31, 2024, when PCI DSS v. 3.2.1 will be retired. Assessments performed after that date must be under version 4.0. Companies will be able to opt-in to version 4.0 in the coming months once the self-assessment questionnaires and other supporting documents are released.
Several of the new requirements added for version 4.0 will not become mandatory until March 31, 2025. Until that date these requirements are considered “Best Practice” for entities that opt-in to version 4.0 early.
WHAT ARE THE LEGAL RISKS?
The increased focus on risk assessments in PCI DSS 4.0 means that entities are likely to disclose more information about their security program to QSAs than they would under version 3.2.1. Given that PCI security assessments are not conducted under privilege, businesses should be prepared for the assessment papers to be scrutinized in the wake of a security incident. This will be increasingly significant because the widespread adoption of chip transactions in the US has reduced the viability of card cloning, reportedly causing credit card fraudsters large and small to target card-not-present (CNP) transaction data and increase cyber risk to a wide variety of companies.
Statements made in risk analyses should be accurate, verifiable and consistent with other disclosures. Security documentation should reflect actual, provable and current practices. Customized controls should defensibly meet the defined customized approach objectives.
The transition to PCI DSS version 4.0 will prove challenging and time-consuming to many companies. Companies should begin their transition planning promptly. An initial step in the transition should be an assessment against the PCI DSS 4.0 standard to identify compliance gaps and opportunities to implement a customized approach. Engaging outside counsel to help oversee the conduct of the internal assessment or other aspects of transition planning can mitigate risk and contribute to a successful transition.