PCI DSS V4.0 release - move to security as a continuous process
Date published: 08 Apr 2022
What you need to know
As indicated in the implementation timeline, there will be a transition period where both v3.2.1 and v4.0 will be active to give organizations time to validate to these new requirements. In March 2024 v.3.2.1 will officially be retired and by March 2025 v4.0 requirements will be effective and considered as part of PCI DSS assessments. However, it is encouraged not to wait and to implement controls meeting these new requirements as soon as possible.
PCI have stated that they will be releasing additional resources throughout the year to help organizations to understand and comply with the new requirements.
[Source: PCI SSC]
PCI DSS v4.0 release – four main goals
1. Continuing to meet the payment industry’s security needs
The PCI DSS recognizes that security must evolve as new threats emerge. There are a number of new phishing and e-commerce requirement changes to address this and password and authentication requirements have been updated.
2. Increased flexibility to allow the use of technology innovation
The new requirements allow organizations to take a customized approach to support their use of innovative methods in meeting security objectives. Allowances are also made for the use of shared and group accounts.
3. Enhanced validation and reporting options
This focuses on the alignment between compliance reports or self-assessments and the Attestation of Compliance.
4. Security as a continuous process
One of the most significant aspects of this new release is the recognition that security should be a continuous process. PCI are encouraging organizations to step away from time-based auditing and embrace continuous security assessments and reporting.
Moving towards a continuous approach will require organizations and their network security and compliance teams to re-develop their assessment processes and invest in security automation. Continuous validation is needed to identify network misconfigurations and vulnerabilities as they occur.
PCI DSS requirements apply to all system components included in, or connected to, the cardholder data environment. This is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.
For network devices, sampling is not enough to get a complete picture of your network’s security posture. Each device is managed through a complex configuration and errors arising in the configuration represent critical security risks to the network, its data and applications.
Visit our PCI DSS solutions page to find out more about automating the assessment of PCI DSS for compliance.