Key Takeaways
Strengthened Authentication: PCI DSS v4.0 increases the minimum required password length to 12 characters and, to improve user experience, expands the number of allowed failed logon attempts from 6 to 10 before locking the account (mandatory by March 31, 2025).
Continuous Web Application Security: The new standard eliminates periodic reviews for public web applications, mandating the deployment of an automated technical solution—such as a Web Application Firewall (WAF)—with the capability to continually detect and prevent web-based attacks (mandatory by March 31, 2025).
Enhanced Access Review and Script Management: Organizations must now perform a semi-annual review of all user accounts and access privileges (including third-party accounts). Furthermore, all scripts on payment pages require an inventory, written justification, and a method to ensure their integrity and authorization (mandatory by March 31, 2025).
PCI DSS v4.0 "Evolving Requirement" Section
In Part 2 of our “Understanding PCI DSS v4.0” series, we will explore additional changes introduced in PCI DSS v4.0 as included in the “Evolving Requirement” section that analyzes changes needed to required business tasks that are related to remaining compliant with the PCI DSS.
PCI DSS v4.0 Key Changes – Part 2
- Payment Page Scripts – Entities will need to ensure the following when it comes to scripts on payment pages: a method must be established to ensure that each script is authorized, a method must be used to establish the integrity of each script, and a written inventory of the scripts used must be maintained along with written justifications as to why each is necessary.
- This requirement is a best practice until March 31, 2025.
- Semi-Annual Review of Accounts and Access Privileges – This requirement states that user accounts and related access privileges (including third-party or vendor accounts) must be reviewed at least once per six-month period to ensure accounts and access remain appropriate based on job function.
- This requirement is a best practice until March 31, 2025.
Speak to a Compliance Specialist.
- Use of a Web Application Firewall for Ongoing Application Security – Periodic reviews will no longer be allowed when it comes to protecting public web applications. An automated technical solution must be deployed with the capability to “continually detect and prevent web-based attacks.”
- This requirement is a best practice until March 31, 2025.
- Password Length – Passwords must contain numeric and alphabetic characters and must be at least 12 characters long.
- This requirement is a best practice until March 31, 2025.
- Number of Allowed Failed Logon Attempts – The number of invalid authentication attempts before locking out a user has been increased from 6 to 10.
In our next article, we will discuss additional changes that have been implemented in PCI DSS v4.0.
Your Partner for PCI DSS v4.0
When it comes to changes to the PCI DSS, you need a team that has the training to guide you through the updated requirements and ensure compliance. If your organization is ready to test against PCI DSS v4.0, contact an Auditwerx QSA today.
FAQs
What are the new technical requirements for passwords and failed logins in PCI DSS v4.0?
The standard now requires passwords to be a minimum of 12 characters long and contain both numeric and alphabetic characters. To balance security with usability, the maximum number of invalid authentication attempts before a user is locked out has been increased from 6 to 10. These requirements become mandatory by March 31, 2025.
How has the requirement for protecting public-facing web applications changed?
Previous versions allowed for periodic reviews, but v4.0 requires the deployment of an automated technical solution—like a Web Application Firewall (WAF)—to ensure continuous security. This solution must actively detect and prevent web-based attacks on an ongoing basis, as this is no longer a task suitable for periodic manual checks.
What new controls are required for managing external scripts on payment pages?
For all scripts used on payment pages, organizations must now establish a comprehensive system that includes three main components: 1) a written inventory of all scripts, 2) a written justification for why each script is necessary, and 3) a method to ensure that each script is authorized and that its integrity remains intact against tampering.
What is the new requirement for reviewing user access privileges?
The compliance standard now mandates a formal semi-annual review of all user accounts and their associated access privileges. This includes all internal accounts, as well as accounts used by third parties or vendors, to ensure that access remains appropriate for current job functions and responsibilities.
About the Author
