What’s New in PCI DSS v4.0.1?

The Payment Card Industry Data Security Standard (PCI DSS), which underwent a significant update in March 2022, has recently been revised.

On 11 June 2024, the Payment Card Industry Security Standards Council (PCI SSC) released a limited revision to the PCI Data Security Standard (PCI DSS), updating it to version 4.0.1.

This update is primarily aimed at correcting formatting and typographical errors and clarifying the focus and intent of some of the requirements and guidance. Importantly, this revision does not introduce any new requirements or remove existing ones. However, it’s crucial for organisations that process, store, transmit, or impact the security of cardholder data and sensitive authentication data.

What is PCI DSS v4.0.1?

PCI DSS v4.0.1 is a limited revision to the previous version 4.0, released in March 2022. This update addresses stakeholder feedback and questions received since the release of v4.0, emphasising the continuous effort to enhance payment account data security and promote the broad adoption of consistent data security measures globally.

PCI SSC involved a broad range of stakeholders in the review process. From December 2023 through January 2024, feedback was gathered from the PCI SSC Board of Advisors, the Global Executive Assessor Roundtable (GEAR), and Principal Participating Organisations, who provided insights and suggestions during a Request for Comments (RFC) period.

Risk Associates is a proud member of the PCI GEAR. This collaborative approach helped refine the changes and ensure they support the industry’s adoption of PCI DSS v4.0.

Key Changes in PCI DSS v4.0.1

Unlike major updates, PCI DSS v4.0.1 does not add any new or remove any requirements. Instead, it focuses on:

Clarifications and Guidance

Improved wording, definitions, and additional guidance to increase understanding and provide further information on specific topics. This includes rephrasing sections to better articulate the intent behind requirements, making compliance easier to achieve.

Formatting and Structural Adjustments

Corrections to formatting errors and typographical mistakes, as well as reorganising content for better alignment. This ensures the document is clear, professional, and easier to navigate.

Detailed Overview of Key Changes in PCI DSS v4.0.1

Here’s a closer look at some of the critical updates made in PCI DSS v4.0.1:

Requirement 3 :

• Applicability Notes for Issuers: Clarified notes for issuers and companies supporting issuing services.
• Customised Approach Objective: Added objectives and clarified applicability for organisations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable.

Requirement 6:

• Critical Vulnerabilities: Reverted to PCI DSS v3.2.1 language, specifying that the 30-day patch/update installation requirement applies only to “critical vulnerabilities.
• Payment Page Scripts: Added notes to clarify the requirement for managing payment page scripts.

Requirement 8:

• Multi-Factor Authentication: Added a note that multi-factor authentication for all (non-console) access into the Cardholder Data Environment (CDE) does not apply to user accounts authenticated only with phishing-resistant authentication factors. Phishing-resistant MFA uses methods that are resistant to phishing attacks, requiring multiple authenticators to verify identity.

Requirement 11 :

• Payment Page Scripts: Clarified that requirement 11.6.1 applies to “security-impacting HTTP headers and the script contents of payment pages,” and explained that solutions could include a combination of the listed examples.

Requirement 12 :

• Customer-TPSP Relationships: Updated notes to clarify various points about relationships between customers and third-party service providers (TPSPs).

Appendices

• Customised Approach Templates: Removed sample templates from Appendix E and referred to templates available on the PCI SSC website.
• New Definitions: Added definitions for “Legal Exception,” “Phishing Resistant Authentication,” and “Visitor” to Appendix G.

To provide organisations ample time to adopt the latest version, PCI DSS v4.0 will remain active until 31 December 2024. After this date, v4.0 will be retired, making v4.0.1 the only active version.

PCI DSS v4.0 is active until 31 December 2024

Upcoming Documentation

The PCI DSS v4.0.1 Report on Compliance (ROC) Template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs) are scheduled for publication in Q3 2024. These will be followed by updated PCI DSS supporting documents, such as the Prioritised Approach tool.

What This Means for Your Organisation?

The update to PCI DSS v4.0.1 aims to enhance clarity and ensure smooth adoption of the standard. Organisations are encouraged to review the Summary of Changes and stay informed about the upcoming supporting documents. Understanding and implementing PCI DSS v4.0.1 will ensure your organisation remains compliant and continues to protect cardholder data effectively.

MOVING FORWARD WITH PCI v4.0.1

As a Qualified Security Assessor – QSA, Risk Associates offers thorough assessments and certifications that make organisations stay compliant with the latest standards.