Skip to main content
PCI DSSSecurity

PCI DSS v.4.0 is here. Are you ready?

April 21, 20244 min read

PCI DSS v.4.0 is here. Are you ready?

The newest evolution of the PCI Data Security Standards (PCI DSS) is almost upon us.

After PCI DSS v4.0 was announced in Q1 2022, companies had two more years left to use the old standard of PCI DSS v.3.2.1. Once it is officially retired on March 31, organizations have just one year to be compliant with PCI DSS v4.0.

If you consider that a typical PCI Assessment can take 3-5 months, that isn’t a lot of time.

What changes with PCI DSS 4.0 for payment security?

A complete list is available here.

New security requirements for changing threats

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements
  • ASV Scanning Requirement changes impacting iFrame and redirect integration strategies

    • Continuous security for constant protection

  • Clearly assigned roles and responsibilities
  • Added guidance for security implementation and maintenance

    • Increased flexibility to meet security objectives while supporting innovation

  • Clearly assigned roles and responsibilities
  • Added guidance for security implementation and maintenance

    • Increased flexibility to meet security objectives while supporting innovation

  • Allowance of group, shared, and generic accounts
  • Targeted risk analysis to establish activity frequencies
  • New method – a customized approach to PCI DSS

    • Enhanced validation methods for increased transparency

  • Improved alignment between ROC (Report on Compliance) and SAQ (Self-Assessment Questionnaire)

    • Background

    PCI-DSS 4.0 was shaped by insights from over 200 organizations and 6,000 suggestions and tailored to meet the changing digital threats of modern payment ecosystems. Many changes are due to the payments industry’s increased focus on cloud migration, insider threats, and the surge in online commerce exacerbated by the pandemic.

    Additionally, PCI-DSS 4.0 is unique in offering the opportunity to achieve compliance via tailored customization to address and accommodate dynamic technologies and diverse implementations. While PCI-DSS continues to be mandated for an organization to perform the expected due diligence, the new 4.0 standard intends to allow companies to consider the “intent” of a PCI DSS objective and account for their unique infrastructure and risk level exposure.

    This creates unchartered territories with new questions and more limited precedents. PCI Compliance Assessments are always time-consuming and resource-intensive; these new requirements add an element of uncertainty to successful completion.

    Who does it apply to?

    Any organization that deals with Credit or Debit cardholder data.

    If your organization:

  • Store
  • Transmit
  • Process

    • Sensitive Card Data, you are subject to PCI DSS 4.0 requirements.

    In other words, your cardholder data environment (CDE) is in “in-scope,” and you are subject to its guidelines.

    There are 4 Levels of PCI Compliance. What are my requirements?

    The PCI-DSS payment security standards apply to anyone who works with and is exposed to payment data, cardholder information, and financial accounts. There are separate requirements for merchants and service providers. Service providers are defined as business entities that are not a payment brand but are directly related to the processing, storing, or transmitting of cardholder data on behalf of another organization

    For Merchants:

    APPLICABLE IF YOU

    • Process >6M Visa or Mastercard, or >2.5M American Express transactions each year
    • Have experienced a data breach
    • Are identified as “Level 1” by a card network (such as Visa or Mastercard)

    REQUIREMENTS TO COMPLY

    • Onsite assessment as an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), or internal auditor if signed by an officer of the company
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance (AOC) for Onsite Assessments

    APPLICABLE IF YOU

    • Process 1-6M transactions each year

    REQUIREMENTS TO COMPLY

    • Annual PCI DSS Self-Assessment Questionnaire (SAQ). Click here for a full list of merchant resources.
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance (AOC) —to match the SAQ type

    APPLICABLE IF YOU

    • Process 20K – 1M online transactions each year
    • Process <1M total transactions each year

    REQUIREMENTS TO COMPLY

    • Annual PCI DSS Self-Assessment Questionnaire (SAQ). Click here for a full list of merchant resources.
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance (AOC) —to match the SAQ type

    APPLICABLE IF YOU

    • Process <20K online transactions each year
    • Process <=1M total transactions each year

    REQUIREMENTS TO COMPLY

    • Annual PCI DSS Self-Assessment Questionnaire (SAQ). Click here for a full list of merchant resources.
    • Quarterly network scan by Approved Scan Vendor (ASV)
    • Attestation of Compliance (AOC) —to match the SAQ type

    Service providers include companies that provide services that affect or may affect cardholder data security. Such services include managed service providers with managed firewalls, IDS / IPS, other services, and hosting service providers.

    Source

    For Service Providers

    Service providers include companies that provide services that affect or may affect cardholder data security. Such services include managed service providers with managed firewalls, IDS / IPS, other services, and hosting service providers.

    APPLICABLE IF YOU

    • Service Providers that store, process, or transmit >300K transactions per year (>2.5M for American Express.)

    Also applicable to

    • All Third Party Processors (TPPs)
    • All Staged Digital Wallet Operators (SDWOs)
    • All Digital Activity Service Providers (DASPs)
    • All Token Service Providers (TSPs)
    • All 3-D Secure Service Providers (3-DSSPs)
    • All AML/Sanctions Service Providers
    • All Installment Service Providers (ISPs)
    • All Merchant Payment Gateways (MPGs)
    • All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300K total annual transactions

    REQUIREMENTS TO COMPLY

    • Annual PCI assessment resulting in the completion of a Report on Compliance (ROC) completed by a QSA (Qualified Security Auditor)
    • Quarterly Network Scans performed by the Approved Scanning Provider (ASV)
    • Annual Penetration Test
    • Quarterly Local Network Vulnerability Scans
    • Declaration of Conformity with an Attestation of Compliance (AOC)
    Source

    APPLICABLE IF YOU

    • Service Providers with <300K transactions per year (<2.5M for American Express.)
    • All DSEs2 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually

    Also applicable to:

    • All Terminal Servicers (TSs)

    REQUIREMENTS TO COMPLY

    • Annual Self-Assessment Questionnaire (PCI SAQ) D
    • Quarterly Network Scans performed by the Approved Scanning Provider (ASV)
    • Annual Penetration Test
    • Quarterly Local network Vulnerability Scans
    • Declaration of Conformity with an Attestation of Compliance (AOC)

    How can FLAGSHIP help me meet my PCI DSS Compliance needs?

    A typical PCI Assessment covers a spectrum of needs across 12 requirements. We have simplified these, and have solutions to match the needs across all the requirements.

    TYPICAL PCI DSS V4.0 SCOPE
    FLAGSHIP SOLUTION
    1. Identify all payment channels and methods for accepting CHD, from the point where the CHD is received through to the point of destruction, disposal, or transfer.
    Configure all routes for aliasing/revealing inbound/outbound sensitive data.
    2. Document all CHD flows, and identify the people, processes, and technologies involved in storing, processing, and/or transmitting of CHD. These people, processes, and technologies are all part of the CDE.
    Configure access and assign roles and limits to all FLAGSHIP Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow.
    3. Identify all processes (both business and technical), system components, and personnel with the ability to interact with or influence the CDE. These people, processes, and technologies are all in scope, as they have connectivity to the CDE or could otherwise impact the security of CHD.
    Minimize the scope and system components that directly interact with SAD. FLAGSHIP essentially becomes the CDE.
    4. Implement controls to limit connectivity between CDE and other in-scope systems to only that which is necessary.
    Provide granular support to enforce connectivity limitations.
    5. Implement controls to segment the CDE from people, processes, and technologies that do not need to interact with or influence the CDE. Implement all applicable PCI DSS requirements.
    Configure access and assign roles and limits to all FLAGSHIP Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow. FLAGSHIP offers MFA-capable authentication or leverages your organization's enterprise IDP.
    6. Identify and implement PCI DSS requirements as applicable to the in-scope system components, processes, and personnel. Maintain and monitor.
    Provide expert guidance on all the controls that need to be enforced by the customer internally.
    7. Implement processes to ensure PCI DSS controls remain effective day after day.
    Provide granular support to make any additional updates to an existing SAD data flow while maintaining an annual level of compliance.
    8. Ensure the people, processes, and technologies included in scope are accurately identified when changes are made.
    Configure access and assign roles and limits to all FLAGSHIP Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow.

    While people who participate in storing, processing, or transmitting cardholder data are part of the CDE, when implementing segmentation for PCI DSS scoping, these people do not have to be segmented or isolated from people who are outside of the CDE.

    This is because the processes and technologies put in place to implement and maintain the segmentation also ensure that people in the CDE are the only ones with the requisite access.

    What are my next steps?

    • Understand your organization’s scope and team priorities to see if you have the time and resources needed to do this in-house by your annual assessment deadline.
    • Plan out the most efficient way to meet the PCI DSS 4.0 requirements now and every quarter forward
    • Contact us to see how we can help with your PCI compliance needs and prepare you for v.4.0.

    PCI DSS 4.0 can feel daunting, but it doesn’t have to be. The FLAGSHIP solutions securely stores payment data, enabling organizations to descope their environments and fortify their security posture. We ensure that customers are confidently and constantly on top of changing PCI-DSS requirements, including for 4.0. Plus, we can recommend QSAs or work with your existing QSA to ensure a successful PCI audit that protects your data according to the latest regulations.

    Contact Us




      What solution are you looking for?
      you can select multiple choices


      Related Posts

      Payment systemsPayment TechPaymnet GatewayWhite-Label

      Complete Your E-commerce Growth with a Powerful Payment Gateway

      In today's fast-paced digital age, e-commerce has become the norm for businesses of all sizes.…
      Eslam NegmApril 25, 2023
      Payment SwitchPayment systemsPayment TechPaymnet Gateway

      Payment Gateway vs Payment Switch

      What is a Payment Gateway? A payment gateway is a tool that potentially takes care…
      Eslam NegmSeptember 3, 2023
      Payment TechWeb3

      Web3 The Game Changer for Digital Payments in Emerging Markets

      Are you tired of dealing with the inefficiencies of traditional payment systems in emerging markets?…
      Eslam NegmMarch 6, 2023

      Follow Flagship ft. Blog for the latest in Fintech, technology and disruptive banking.

      Contact us
      Privacy Policy
      Terms & Conditions

      © Flagship ft.  2024