Understanding the New PCI DSS v4.x Compliance Requirements

With the new deadlines approaching quickly, I wanted to do a deep dive into each of the changes that have already gone into effect and those that will go into effect on March 31, 2025. Over the next few weeks, I will break down each requirement into its own article.

The Payment Card Industry Data Security Standard (PCI DSS) is a critical set of security requirements for businesses that handle credit card transactions. With the recent PCI DSS version 4.x release, organizations must be aware of the significant changes and new compliance obligations.

The updated PCI DSS v4.x introduces 64 new technical and operational requirements distributed across the standard’s 12 principal requirement categories. Entities that store, handle, or transfer cardholder information must comply with these new rules. Thirteen requirements must be met by March 31, 2024, and the remaining 51 will become mandatory by March 31, 2025.

Here is an overview of some of the requirements already in effect.

Documenting Roles and Responsibilities:

Ten of the 13 new requirements focus on documenting, assigning, and understanding the roles and responsibilities for implementing security controls. This includes defining who is responsible, accountable, consulted, and informed (a RACI matrix) for tasks like:

• Maintaining a secure network and systems
• Protecting account data (primary account numbers, cardholder data, sensitive authentication data)
• Deploying a vulnerability management program
• Implementing strong access control measures
• Regularly monitoring and testing networks
• Maintaining an information security policy

Effective April 1, 2024: 2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, 11.1.2 

Scope Verification and Risk Analysis

Another new requirement is to document and confirm the scope of the PCI DSS review at least once every 12 months. This involves verifying all locations and flows of account data and the system components that need to be protected.

Additionally, suppose an organization is using the “customized approach” (instead of the “defined approach”) to meet PCI DSS requirements. In that case, it must perform targeted risk analysis for each requirement at least annually. This analysis must detail the security impact if the requirement is unmet and explain how the applied controls provide the necessary protection.

Support for Third-Party Service Providers

The final new 2024 requirement requires third-party service providers (TPSPs), such as payment gateways, to support their customers’ requests for information on PCI DSS requirement responsibility and compliance status. This will help organizations pursuing PCI DSS compliance meet their own obligations around monitoring third-party providers.

With the potential for significant fines and reputational damage due to non-compliance, businesses must promptly understand and address these new PCI DSS v4.0.1 requirements. Organizations can ensure they maintain PCI DSS compliance and safeguard their customers’ sensitive payment data by documenting roles and responsibilities, verifying the scope of their assessment, performing targeted risk analyses, and collaborating with third-party service providers.