Understanding PCI DSS v4.0 – Change Summary – Part 3

Table of Contents

Compliance Questions?

Speak to a Specialist

Key Takeaways

  1. Mandatory MFA Expansion: PCI DSS v4.0 requires Multi-Factor Authentication (MFA) for all access to the Cardholder Data Environment (CDE), moving beyond previous requirements to significantly strengthen security posture (mandatory by March 31, 2025).
  2. Payment Page Protection: New requirements mandate the deployment of change detection mechanisms for consumer-facing payment pages to proactively detect and prevent malicious skimming and tampering attacks.
  3. New Remediation Status: The standard introduces the “In Place with Remediation” disposition, formally recognizing situations where a control failure during the compliance period was successfully fixed and implemented prior to the conclusion of the assessment.

How PCI DSS v4.0 Impacts Day-to-Day Business Practices

In the last part of our “Understanding PCI DSS v4.0” series, we’ll tackle the remaining changes in PCI DSS v4.0 that are likely to impact your day-to-day business practices.

Over the course of our article series, we’ve explored a number of changes brought about by PCI DSS v4.0. While not a completely comprehensive evaluation, our goal has been to create a reference that highlights how the switch to PCI DSS v4.0 might impact a typical service provider or merchant.

Speak to a Compliance Specialist.

Book a free consultation with a specialist to check off your compliance needs. Secure your spot today.
Book a Meeting

PCI DSS v4.0 Key Changes – Part 3

  •        Multifactor Authentication for All CDE Access Multifactor authentication will now be required for all CDE access.

    o   This requirement is a best practice until March 31, 2025.

    ·       Mandatory Automated Log Reviews – Your assessor will need to examine log review mechanisms and also interview personnel in order to verify that automated mechanisms are being used to perform log reviews.

    o   This requirement is a best practice until March 31, 2025.

    ·       Authenticated Internal Scans – The rules regarding internal vulnerability scans now specifically address authentication. Authenticated scanning must be performed as follows: Any systems that are unable to accept credentials for authenticated scanning must be documented, sufficient privileges must be used for systems related to authenticated scanning, if accounts used for authenticated scanning can be used for interactive login, then they must be managed according to requirement 8.2.2.

    o   This requirement is a best practice until March 31, 2025.

    ·       Change Detection Mechanism Deployed for Payment Pages – According to the requirement, your organization will need to deploy a change-and-tamper detection mechanism to alert for modifications to HTTP headers and contents of payment pages as received by the consumer browser. This is meant to detect activity that may be part of a skimming attack.

    o   This requirement is a best practice until March 31, 2025.

    ·       Allowance for In Place with Remediation – This is a new category added to the list of possible dispositions of each requirement. Receiving this disposition means that at some point during the PCI DSS assessment period the control failed validation testing but was remediated and put in place before the end of the assessment.

    o   In cases of In Place with Remediation, the assessor will need assurance that the entity has addressed the reason for the failed control, the implementation of the control, and the ongoing processes to prevent the re-occurrence of the control failure.

Subscribe to our newsletter.

Stay up to date with the latest from Auditwerx.
Sign Up Today

Partner with an Auditwerx QSA for PCI DSS v4.0

When it comes to changes to the PCI DSS, you aren’t on your own. An Auditwerx QSA can help you understand the specifics behind PCI DSS v4.0 and how it will impact your organization. Contact us today to start your PCI compliance journey.

FAQs

The requirement for Multi-Factor Authentication (MFA) across all access points to the Cardholder Data Environment (CDE) is a strong best practice now, but it will become officially mandatory on March 31, 2025.

To combat web skimming and other tampering attacks, the standard now requires organizations to deploy a change-and-tamper detection mechanism. This mechanism must monitor the integrity of the HTTP headers and contents of the payment pages as received by the consumer’s web browser, alerting for any unauthorized modifications.

PCI DSS v4.0 introduces a mandatory requirement for automated log reviews, verifying that mechanisms are in place to perform these reviews without relying solely on manual effort. Additionally, internal vulnerability scanning must now be performed as authenticated scans, requiring documented procedures for any systems that cannot support credentials.

The “In Place with Remediation” disposition is a new category that allows an assessor to acknowledge that a control failed verification testing at some point during the assessment period. However, the organization successfully addressed the root cause and fully implemented the control before the conclusion of the reporting period.

Get a Quote
Lead Gen TBD

About the Author

Picture of Auditwerx Team
Auditwerx Team
Tampa-based Auditwerx has provided over 3,500 security compliance reports to clients nationally and internationally since 2009, leveraging the specialized resources and experts of a top accounting firm for high-quality, personalized service. As a division of Carr, Riggs & Ingram Capital, LLC, Auditwerx offers clients the skills of a large firm—including CISSPs and CISAs—combined with the accessibility of a niche, boutique firm, dedicated to building long-term, transparent partnerships.

Related Content

Gain Deeper Insights