Now that we’ve taken a look at the broad strokes of the PCI DSS v4.0 changes, let’s take a deeper dive into the impact these changes might have on organizations like yours.
There are three categories of changes from v3.2.1 to v4.0: Clarification or Guidance, Structure or Format, and Evolving Requirement. We’ll be focusing on the Evolving Requirements section over the course of our article series, analyzing the updates to business-as-usual tasks related to maintaining compliance with PCI DSS.
PCI DSS v4.0 Key Changes – Part 1
- Customized Approach – The introduction of what the PCI Security Standards Council is calling the “Customized Approach” is the biggest change in PCI DSS v4.0. Customized Approach will allow organizations to define their own control, as opposed to a specific, prescribed control as noted by the DSS.
- An entity is able to define a control that is different from the prescribed control if the entity-defined control effectively mitigates the risk addressed in the requirement.
- While the Customized Approach will allow for some additional flexibility, there are additional responsibilities that come along with it. The assessed entity must: Build and Test the Control, Monitor the Effectiveness of the Control, Complete the associated Controls Matrix, and Complete a Targeted Risk Analysis (TRA) for each Customized Control.
- It is the opinion of Auditwerx QSAs that only entities with mature control environments and adequate resources to maintain the additional responsibilities should consider the Customized Approach.
- Assignment of Responsibilities – This mandate requires that all PCI related responsibilities should be formally assigned in a written document.
- This requirement is effective immediately for all v4.0 assessments.
- Encryption of SAD – If SAD (Sensitive Authentication Data including Track Data, Chip Data, CVCs, etc.) is captured during the payment process, it may be stored by the assessed user entity prior to authorization, but cannot be stored unless the entity is a card issuer.
- Your assessor will need to “Examine data stores, system configurations, and/or vendor documentation to verify that all SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.”
- This requirement is a best practice until March 31, 2025.
- PAN Encryption – With the new update, disk level alone is no longer PCI compliant. According to Requirement 3.5.1.2 of the DSS v4.0, if your organization is using disk encryption for non-removable media, PAN must also be rendered unreadable via another mechanism that meets Requirement 3.5.1.
- This requirement is a best practice until March 31, 2025.
- Keyed Hashing – Requirement 3.5.1.1 in DSS v4.0 specifies that “hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7.”
- This requirement is a best practice until March 31, 2025.
- Protect Personnel from Phishing Attacks – This requirement mandates that processes and automated mechanisms have been put in place to detect and protect personnel from phishing attacks.
- This requirement is a best practice until March 31, 2025.
In our next article, we will discuss additional changes that have been implemented in PCI DSS v4.0, in regards to the Evolving Requirements.
Auditwerx QSAs are fully trained and ready to offer PCI reporting utilizing the new v4.0 framework. While entities are not required to utilize v4.0 until after Q1 2024, and assessment that ends after March 31, 2024 must be performed and documented with PCI DSS v4.0
Choose Auditwerx for PCI DSS
If your organization is subject to PCI assessment, it’s important to research what these changes mean to you. Consulting with an Auditwerx QSA will allow you to better understand how the new DSS will impact your organization specifically. If you’re ready to talk to a PCI QSA, contact Auditwerx today.