In Part 2 of our “Understanding PCI DSS v4.0” series, we will explore additional changes introduced in PCI DSS v4.0 as included in the “Evolving Requirement” section that analyzes changes needed to required business tasks that are related to remaining compliant with the PCI DSS.
PCI DSS v4.0 Key Changes – Part 2
- Payment Page Scripts – Entities will need to ensure the following when it comes to scripts on payment pages: a method must be established to ensure that each script is authorized, a method must be used to establish the integrity of each script, and a written inventory of the scripts used must be maintained along with written justifications as to why each is necessary.
- This requirement is a best practice until March 31, 2025.
- Semi-Annual Review of Accounts and Access Privileges – This requirement states that user accounts and related access privileges (including third-party or vendor accounts) must be reviewed at least once per six-month period to ensure accounts and access remain appropriate based on job function.
- This requirement is a best practice until March 31, 2025.
- Use of a Web Application Firewall for Ongoing Application Security – Periodic reviews will no longer be allowed when it comes to protecting public web applications. An automated technical solution must be deployed with the capability to “continually detect and prevent web-based attacks.”
- This requirement is a best practice until March 31, 2025.
- Password Length – Passwords must contain numeric and alphabetic characters and must be at least 12 characters long.
- This requirement is a best practice until March 31, 2025.
- Number of Allowed Failed Logon Attempts – The number of invalid authentication attempts before locking out a user has been increased from 6 to 10.
In our next article, we will discuss additional changes that have been implemented in PCI DSS v4.0.
Your Partner for PCI DSS
When it comes to changes to the PCI DSS, you need a team that has the training to guide you through the updated requirements and ensure compliance. If your organization is ready to test against PCI DSS v4.0, contact an Auditwerx QSA today.
