{"id":3341,"date":"2024-06-24T15:00:42","date_gmt":"2024-06-24T15:00:42","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=3341"},"modified":"2024-07-09T06:00:33","modified_gmt":"2024-07-09T06:00:33","slug":"what-to-know-about-pci-dss-4-0-and-4-0-1","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/what-to-know-about-pci-dss-4-0-and-4-0-1\/","title":{"rendered":"What You Need to Know About PCI DSS 4.0 (and Version 4.0.1)"},"content":{"rendered":"\n

Is your organization ready to comply with the PCI DSS 4.0 requirements that will become effective in March 2025? Here’s what you need to know to integrate PCI DSS 4.0 (and revisions outlined in version 4.0.1) into your security framework and operations<\/h2>\n\n\n\n

The Payment Card Industry Data Security Standards<\/a> (PCI DSS) is a set of security fundamentals that helps organizations handling payment card information avoid falling prey to cybersecurity incidents and data breaches. It also ensures they pay the consequences when they do. In 2022, the Payment Card Industry Security Standards Council <\/a>(PCI SSC) published PCI DSS version 4.0\u2019<\/a>s first set of revised and new requirements<\/a>.<\/a><\/a><\/a><\/p>\n\n\n\n

<\/a>Many of these standards requirements <\/a>became effective on March 31, 2024 (with additional \u201cbest practices\u201d that will be mandatory by March 31, 2025). However, in June 2024, they published PCI DSS version 4.0.1, which revises specific requirements to provide clarification and guidance but provides \u201cno additional or deleted requirements\u201d to PCI DSS version 4.0. So, don\u2019t panic.<\/p>\n\n\n\n

Now, it’s time to start preparing for the next PCI DSS 4.0 requirements that\u2019ll kick into effect next year and ensure you\u2019re also taking into account the clarifying revisions published in version 4.0.1.  <\/p>\n\n\n\n

PCI DSS 4.0 Phase Two: Dozens of New Requirements to Be Implemented Before Q2 2025<\/h2>\n\n\n\n
\"A
Image caption: <\/em><\/a> The graphic shows the deadline for implementing the remaining PCD DSS 4.0 requirements (and when PCI DSS 4.0 will be replaced by v4.0.1).<\/em><\/figcaption><\/figure>\n\n\n\n

PCI DSS 4 introduced several fundamental changes<\/a> to tackle emerging threats and security issues brought about by new technological advancements since the 2018 release of the previous version, PCI DSS 3.2.1.<\/p>\n\n\n\n

PCI DSS version 4.0 includes in total 64 new requirements. With the first phase of 13 new requirements done and dusted, the next stage includes rolling out the remaining 51 new PCI DSS 4.0 requirements. Currently considered “best practices,” they\u2019ll come into force no later than March 31, 2025. (NOTE: Not all requirements may apply to you, as some are specific to service providers.)<\/p>\n\n\n\n

We get it, that’s a lot to digest. To help you, we’ve prepared an overview of these second-phase requirements and a few tips. It’ll enable you to better understand the new rules and how best to address them.<\/p>\n\n\n\n

Check the summary table and\/or go into the nitty-gritty sections below. (NOTE: We skipped listing the new requirements under Principal Requirements #1 and #2 since they went into effect when PCI DSS 4.0 rolled out).<\/p>\n\n\n\n

Changed PCI DSS Version 4.0 Requirements That Are \u201cBest Practices\u201d Until March 31, 2025<\/strong><\/td>PCI DSS 4 \u2014 Summary of Changes (New or Amended Requirements)<\/strong><\/td>Tips to Help You Comply with Some of These New Requirements<\/strong><\/td><\/tr>
Requirement 3: Protect Stored Account Data<\/td>These changes are related to the protection of sensitive authentication data<\/a> (SAD) and primary account numbers<\/a> (PANs) through encryption and cryptographic hashes.<\/td>Use strong cryptographic hash functions<\/a> and algorithms.Limit the usage of disk-level encryption.Ensure secure cryptographic key storage  <\/td><\/tr>
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks<\/td>These new and amended requirements focus on cryptography-related roles and responsibilities, and certificate and key validity and inventory.<\/td>Use certificate management software such as Sectigo Certificate Manager<\/a> or D<\/a>igi<\/a>Cert <\/a>CertCentral<\/a> to verify the validity of your SSL\/TLS certificates.The same tools will help you keep an inventory of keys and certificates.<\/td><\/tr>
Requirement 5: Protect All Systems and Networks from Malicious Software<\/td>These new clauses emphasize the implementation of regular malware scanning and phishing<\/a> protection.<\/td>Review your components and implement supply chain security best practices<\/a>.Run daily malware scans using only trusted and well-known anti-virus\/malware tools such as SiteLock<\/a>.Train your users to recognize and avoid phishing scams and malware threats.<\/td><\/tr>
Requirement 6: Develop and Maintain Secure Systems and Software<\/td>New requirements focusing on software security and system threat prevention through automation and secure practices.<\/td>Create an S<\/a>BOM<\/a> to list all application\u2019s open source components, their licenses, versions, and patch status. Sign it with a trusted code signing certificate<\/a>.Invest in Website security checker tools<\/a> like SiteLock<\/a>. HackerGuardian<\/a> will even monitor your PCI DSS version 4 compliance.Shield your payment page scripts from cross-site script<\/a> (XSS) attacks following OWASP\u2019s suggestions<\/a>.<\/td><\/tr>
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know<\/td>These new requirements address regulated access to systems and cardholder data.<\/td>Implement access control policies as described in the OWASP<\/a> Authorization cheat sheet<\/a>.Follow the principle of the least privilege<\/a> (POLP).Delete unused accounts.<\/td><\/tr>
Requirement 8: Identify Users and Authenticate Access to System Components  <\/td>These changes mandate additional measures to secure access and passwords.<\/td>Implement multifactor authentication<\/a> (MFA) wherever possible.Shield credentials from malicious snoopers and man-in-the-middle attacks<\/a> (MITM) with an SSL\/TLS certificate<\/a>.Never hardcode passwords.<\/td><\/tr>
Requirement 9: Restrict Physical Access to Cardholder Data<\/td>This single point highlights the importance of securing all physical points of interaction<\/a> (POI and access to cardholder data).<\/td>Inspect them regularly.Stay up to date with new threats. Check the NIST National Vulnerability Database<\/a> (NVD) and MITRE\u2019s <\/a>common vulnerabilities exposure (<\/a>CVE<\/a>) database.<\/td><\/tr>
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data<\/td>These requirements encompass the actions that are required for effective log management and analysis.<\/td>Don\u2019t miss OWASP log implementation best practices<\/a>.     Automate log analysis and monitoring with the support of paid <\/a>or<\/a> open-source log analysis tool<\/a>s<\/a>.Encrypt your log using strong encryption algorithms<\/a>, apply strict access contro<\/a>l policies<\/a>, and review them often.<\/td><\/tr>
Requirement 11: Test Security of Systems and Networks Regularly<\/td>The newly added clauses emphasize the need for testing systems and networks to fix all vulnerabilities found and protect payment pages from unauthorized modifications.<\/td>Scan systems with SiteLock<\/a> Pro and Business.Schedule and run over 30,000 vulnerabilities and XSS attack tests with HackerGuardian<\/a>.Implement an alert system for HTTP headers of payment pages and content’s unauthorized modifications.<\/td><\/tr>
Requirement 12: Support Information Security with Organizational Policies and Programs<\/td>All changes related to this requirement are centered on security policies and programs, including those involving third-party service providers (TPSPs).<\/td>Inform your peers and employees.Set up ad hoc training sessions.Review and keep all information up to date. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

PCI DSS 4.0 \u2014 Requirement 3: Protect Stored Account Data<\/h3>\n\n\n\n

According to BlackFog\u2019s latest report, 92% of ransomware attacks<\/a> analyzed in the first four months of 2024 were used to extract data. This PCI DSS version 4 section includes new requirements related to the protection of sensitive data at rest<\/a> (i.e., saved in a digital form). They all align perfectly with BlackFog’s findings.<\/p>\n\n\n\n

Specifically, these changes mandate enterprises to protect sensitive authentication data<\/a> (SAD) and primary account numbers<\/a> (PANs) through encryption<\/a> and cryptographic hashes<\/a>.<\/p>\n\n\n\n

To achieve compliance, you may want to:<\/p>\n\n\n\n