The good news? PCI DSS 4.0 is out, but the adoption schedule for the new standard is quite generous. The better news? The PCI Security Council has decided to implement a tiered approach to adoption. The first will finalize when the previous version (3.2.1) is officially retired in 2024. The second, known as the “future dated” requirements, will have an additional year.
This article will cover the future-dated requirements from PCI DSS version 4.0.
What Are the PCI DSS Requirements?
One thing that hasn’t changed between version 3.2.1 and 4.0 is the core requirements of that standard. Both versions include the 12 requirements for security and privacy compliance.
These 12 requirements, as defined in the PCI DSS documentation, are as follows:
- Protect Your System with Firewalls: PCI DSS requires that any systems containing cardholder data have effective, updated perimeter protection in the form of a firewall. Your organization can implement either a hardware firewall (more robust and comprehensive) or a software firewall (flexible for mobile networks, easier to maintain).
- Don’t Use Vendor Defaults: If and when your organization uses third-party software or hardware, it’s necessary to update vendor configurations to meet modern business and security needs. This means changing out default passwords, installing patches, and modifying any default configurations that are known to serve as attack surfaces.
- Secure Cardholder Data: This means utilizing encryption to obfuscate personal information and primary account numbers (PANs) while it is at rest in servers and workstations.
- Secure Data on Public Networks: Your organization must secure PANs as they travel through public and internal networks. This includes using in-transit encryption like Transport Layer Security (TLS).
- Use Anti-Virus Software: Your infrastructure should have up-to-date antivirus (anti-malware) installed to catch and mitigate malware attacks. This is platform-agnostic, so you should have updated antivirus software regardless of whether you use Windows or Linux systems.
- Maintain Secure Systems and Applications: Regularly secure, update, and patch all system hardware, software, and firmware. This includes literally any piece of software included–browsers, firewalls, applications, database platforms, file sharing tools, etc. This also means having change controls to manage and guarantee system-wide upgrades or migrations to new technologies.
- Restrict System Access: Limit access to sensitive systems via strong and multifactor authentication (MFA). Utilize role-based access control (RBAC) to limit data contact with unauthorized users and follow the principle of least privilege to ensure that no one may access system resources outside their role.
- Use Unique Identification: All users should be identifiable with a unique ID number so that user activity and security events can be linked conclusively to that user account.
- Restrict Physical Access to Information: Data centers, workstations, removable media, and mobile devices should be protected from unauthorized access using measures like locks and keypads, security cameras, locked office complexes, ID badges, and physical visitor logging systems.
- Monitor System Events and Resources: PCI compliance companies must have continuous monitoring in place to log system security events, including user activities (authentication, access control, modifying files, etc.) or system breaches.
- Test Security Systems: Companies should undergo regular testing, either internally or through a third party. This includes running regular vulnerability scans and penetration tests.
- Maintain Security Policies for your Entire Organization: Security measures and compliance are useless without control over them and a way to communicate them. Keep clear, documented policies in place, accessible to all relevant parties, and provide continuing training related to those policies.
What Is a Future-Dated Requirement?
There have been changes to these requirements between 3.2.1 and 4.0, including changes targeting cloud environments, expanded authentication, and mobile devices.
Not all of these changes are created equal, however, and the PCI Security Council has determined that some of the more basic requirements can serve as the baseline for compliance before the retirement of 3.2.1, and other, more advanced requirements can be “future dated” to the first quarter of 2025.
What this means is that the future-dated requirements don’t need full implementation until this date. This doesn’t necessarily mean companies can altogether avoid implementation until the last minute. Rather, it’s understood that the initial push from 3.2.1 to 4.0 (scheduled to finish by March 2024) can serve as a foundation to complete the more advanced requirements. Until 2025, these advanced requirements will be considered “best practices.”
What New Requirements Are Future-Dated in PCI DSS 4.0?
So what, exactly, are these future-dated requirements? Many of them refer to more complex systems or practices that many businesses may not be familiar with.
Some of the future-dated requirements include:
- Extended At-Rest Encryption (Requirement 3): Previously, disk-level encryption (or encrypting entire hard drives of data with a single encryption key) will no longer be considered sufficient for this requirement, and systems will have to use file-level encryption or similar approaches.
- Expanded Inventories for Encryption Keys (Requirement 4): Additional security must be in place to protect the validity of security keys and certificates, and expired certificates cannot be used in any fashion for encryption and authentication.
- Ongoing System Evaluation (Requirement 5): All systems must be evaluated to determine vulnerability to malware, based on the company’s risk profiles.
- Removable Media Monitoring (Requirement 5): All removable media must be continuously monitored or scanned for malware, and have a log of that security in place before being considered secure for compliant use.
- Anti-Phishing Protection (Requirement 5): All compliant systems must include processes and automated methods of mitigating or eliminating phishing attacks. This can include Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF).
- Strengthened Security for Web Scripts and Applications (Requirement 6): Public-facing and internal web applications and systems must be protected by firewalls and assessed by automated security controls of a technical nature, while manual assessments of apps will be completely phased out.
- Ongoing User Account Review (Requirement 7): User accounts must be reviewed every six months to ascertain appropriate security, role, access, and event controls and (if necessary) refactor accounts to reflect privacy and role requirements.
- Heightened Password Security (Requirement 8): Passwords must be at least 12 characters in length and must be changed periodically. No password may be hard-coded into the system, and all access must be authenticated through MFA.
- Encryption (Requirement 12): Encryption algorithms must be reviewed annually to ensure they are sufficient for business operations. Your organization must stay abreast of modern encryption trends to stay up-to-date.
Prepare for PCI DSS 4.0 with Continuum GRC
These requirements are some, but not all, of the changes and future-dated updates coming down the pipeline in PCI DSS 4.0. Even now, enterprise companies and SMBs alike are looking to the future to stay secure and get ahead of their security requirements.
Continuum GRC is a platform that mixes a control- and risk-based approach to security so that our clients are prepared to meet regulatory challenges today and five years from now.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.