Guides: PCI DSS V4

PCI DSS v4: What’s New and the 12 Requirements Explained

What Is PCI DSS v4.0?

PCI DSS (Payment Card Industry Data Security Standard) v4.0 is the latest update to the security standards established to protect cardholder data and ensure secure payment processing environments. Adopting PCI DSS v4.0 is mandatory for companies to sustain secure transaction protocols and process digital payments across platforms.

This version, released in 2022, serves as a framework of security guidelines organizations must adhere to when handling card transactions. It builds upon previous iterations by integrating more flexible security approaches, better aligning with modern technologies and security threats.

This is part of a series of articles about PCI compliance.

In this article:

Why Was PCI DSS Updated?

The update to PCI DSS v4.0 was intended to address the rapid evolution of the digital payment landscape. As cyber threats become increasingly sophisticated, the Payment Card Industry Security Standards Council (PCI SSC) sought to improve security measures, protecting consumers and organizations from potential breaches.

Another reason for updating PCI DSS was to incorporate feedback from industry stakeholders, including banks, merchants, and service providers. By considering the challenges faced by these entities, PCI SSC ensures the standards remain relevant and practical in addressing new security challenges.

Additionally, the update aids organizations in aligning their security practices with business processes, encouraging the adoption of emerging technologies without compromising cardholder data security.

Key Differences Between PCI DSS v3.2.1 and v4.0

New Validation Options

PCI DSS v4.0 introduces the option for organizations to choose between the traditional validation approach and a newly introduced customized approach. The traditional method involves adhering to prescriptive requirements, but the customized approach allows organizations to meet security objectives through tailor-made controls suited to their unique operations.

The customized approach requires organizations to document each control, perform targeted risk analyses, test control effectiveness, and provide detailed evidence of implementation. This evidence must be reviewed by assessors to verify compliance. By enabling more dynamic control design, this option supports innovation and the adoption of emerging technologies.

However, entities opting for this approach must engage Qualified Security Assessors (QSAs) or Internal Security Assessors (ISAs) to evaluate their controls and document findings in compliance reports.

Enhanced Security Requirements

PCI DSS v4.0 sets improved security requirements aimed at strengthening data protection mechanisms. Key updates include stronger encryption methods, stricter password policies, and improved authentication procedures, designed to counteract the advanced tactics used by cybercriminals.

By introducing improved security requirements, organizations are encouraged to adopt a proactive security mindset. The new requirements include regular risk assessments and the incorporation of up-to-date threat intelligence, ensuring systems adapt to evolving cyber threats.

Expanded Requirement Scope

The expanded requirement scope in PCI DSS v4.0 reflects its commitment to broader security measures for a wider range of technologies and payment methods. By acknowledging the increasing reliance on cloud services and mobile solutions, the updated standard caters to environments beyond traditional point-of-sale systems.

As workloads shift to containers and Kubernetes, applying strong container security practices is essential for keeping cardholder data environments within PCI DSS v4.0 scope.

Organizations running workloads on Amazon Web Services should review the shared responsibility model when planning AWS PCI compliance efforts.

The updated scope also covers new areas like securing third-party services and APIs, which are increasingly utilized in modern payment infrastructures. By expanding its coverage, PCI DSS v4.0 ensures that all facets of data handling meet stringent security standards.

Teams hosting cardholder data on Microsoft Azure can consult dedicated guidance on Azure PCI compliance to map the relevant requirements to Azure-native services.

Tips from the Expert

In my experience, here are tips that can help an organization better adapt to PCI DSS v4.0:

  1. Implement dynamic segmentation for cloud environments:

    Use software-defined networking (SDN) to segment cardholder data environments (CDEs) dynamically in the cloud. This ensures that sensitive data flows are isolated while allowing for scalability and adaptability to meet compliance without overcomplicating configurations.

  2. Adopt a zero-trust architecture beyond compliance:

    PCI DSS encourages strong access controls, but embedding a zero-trust framework ensures that every transaction, access request, or communication is verified—even within internal networks. This minimizes lateral movement in case of a breach.

  3. Leverage continuous compliance monitoring tools:

    Implement real-time compliance monitoring platforms to continuously validate security controls, alert for drift from baselines, and automate reporting. This reduces audit fatigue and ensures proactive compliance with PCI DSS.

  4. Automate evidence collection for audits:

    Use tools to collect and organize evidence (logs, firewall configurations, access reviews) automatically for PCI DSS audits. This saves time, ensures accuracy, and allows organizations to focus on remediation rather than documentation.

  5. Integrate threat intelligence with vulnerability management:

    Go beyond static vulnerability scanning by incorporating real-time threat intelligence. This enables prioritization of patches and remediation for vulnerabilities actively exploited in the wild.

Profile Picture

Peter Kelly

VP of Engineering

Peter Kelly is Chief Technology Officer at Tigera and Site Leader for Tigera's EMEA office in Cork, Ireland. He is responsible for all of Tigera’s Engineering teams and operations. Peter has two decades of experience in software development, including recently building control plane technology for open-source proxies at NGINX and later F5 Networks, where he held engineering leadership positions. Peter has a degree in Computer Science and a Masters in Advanced Software Engineering.

Additional Updates in PCI DSS v4.1

PCI DSS v4.0.1, released on June 11, 2024, is a refinement of the Payment Card Industry Data Security Standard (PCI DSS) v4.0. This update does not introduce new requirements or remove existing ones but instead provides clarifications and corrections to improve the implementation and understanding of the standards. The revisions aim to make it easier for organizations to align their compliance efforts with the intent of the requirements.

Key updates in PCI DSS v4.0.1 include:

  • Purpose clarifications: A new purpose section has been added to explain the intent behind requirements. This addition reduces ambiguity, helping organizations better interpret the requirements and implement appropriate controls.
  • Sensitive data storage improvements: Requirement 3 emphasizes the secure handling of sensitive authentication data (SAD) by mandating a clear business justification for storing such data. Applicability notes have also been added to outline storage conditions, ensuring that sensitive data is only retained temporarily and in non-persistent memory.
  • Improved data and certificate management: Updates in Requirement 4 address data transmission and storage, removing references to self-signed certificates and revising guidance for unsolicited cardholder data received through certain channels. Enhanced best practices for end-user technology management have also been introduced to strengthen secure data transmission practices.
  • Simplified vulnerability management and third-party oversight: Requirement 6 now specifies that only critical vulnerabilities require updates within 30 days, ensuring focused and efficient security patching. New guidelines clarify the roles of merchants and third-party service providers (TPSPs) concerning payment page scripts. TPSPs are responsible for scripts running in iframes, while merchants oversee scripts running on their own pages.
  • Authentication and access control updates: Requirement 8 incorporates revisions to support phishing-resistant multi-factor authentication (MFA) and redefines terms such as “account” to “ID” for clarity. It also introduces protections against replay attacks and emphasizes MFA as a best practice for administrative access outside the cardholder data environment (CDE).
  • Enhanced physical security and log monitoring: Revisions in physical security requirements, such as visitor log tracking, ensure appropriate controls in sensitive areas. Log monitoring updates emphasize establishing baselines for audit activity and managing log data to detect potential threats.

Detailed Overview of PCI DSS v4.0 Requirements

Requirement 1: Install and Maintain Network Security Controls

Requirement 1 of PCI DSS v4.0 focuses on installing and maintaining network security controls. This involves establishing a solid foundation where firewalls and intrusion detection systems protect data flowing within and outside the network. The goal is to restrict unauthorized traffic and secure pathways for cardholder data, ensuring a fortified network security posture.

Organizations must also conduct regular monitoring and assessments of their network security configurations. By continually reviewing firewall rules and network controls, organizations can mitigate potential vulnerabilities and loopholes that may be exploited by malicious actors.

Requirement 2: Apply Secure Configurations to All System Components

Applying secure configurations to all system components is the essence of Requirement 2. It requires organizations to establish baseline security settings across all hardware and software used in processing and storing cardholder data. Consistently adhering to vetted security configurations helps in preventing unauthorized access and system compromise.

Standardized configurations also enable simplified maintenance and auditing processes. By deploying controlled configurations, organizations can quickly identify deviations and potential security gaps, addressing them before they escalate into severe breaches.

Requirement 3: Protect Stored Account Data

Requirement 3 mandates the protection of stored account data, emphasizing data encryption and secure storage practices. Organizations must ensure that sensitive information is rendered unreadable to unauthorized parties by using advanced encryption techniques, protecting against potential data breaches.

Ensuring secure key management alongside encryption is critical for maintaining data protection. Effective key management requires policies for key generation, distribution, and destruction, mitigating risks of exposure through compromised keys.

Requirement 4: Encrypt Transmission of Cardholder Data Across Open Networks

Encrypting the transmission of cardholder data across open, public networks is the basis of Requirement 4. Secure transmission protocols such as TLS and SSL must be used to protect sensitive information during transit. This prevents interception by malicious actors, ensuring safe data exchange between entities in the transaction process.

Regular updates to encryption protocols are necessary to counteract evolving decryption methods. Organizations must stay vigilant of potential vulnerabilities and update their systems proactively.

Requirement 5: Protect Systems from Malicious Software

Under Requirement 5, organizations must protect their systems from malicious software. This involves deploying anti-malware solutions and keeping them up-to-date to detect and neutralize threats. Regular scans and real-time monitoring ensure that systems remain free from harmful software that can jeopardize payment security.

Employee awareness also aids in combating malware. Training programs focusing on safe browsing practices and email vigilance can reduce the risk of malware infiltration through human errors.

Requirement 6: Develop and Maintain Secure Systems and Applications

Requirement 6 dictates the development and maintenance of secure systems and applications. Organizations must use secure coding practices and conduct regular vulnerability scanning to prevent exploitation. Regular patch management ensures that all systems are fortified against known vulnerabilities, maintaining security in line with PCI DSS v4.0.

Secure software development life cycles (SDLCs) are essential, integrating security checks throughout the process. By embedding security at every developmental stage, organizations reduce the likelihood of deploying compromised applications.

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Organizations must implement stringent access controls to ensure that only personnel with legitimate reasons can access sensitive data. This minimizes potential exposure to unauthorized users, reducing the risk of internal data breaches.

Access controls should be reviewed regularly to ensure compliance with PCI DSS v4.0. By maintaining an accurate database of user access levels, organizations can monitor and track access changes, ensuring consistent alignment with security protocols.

Requirement 8: Identify and Authenticate Access to System Components

Requirement 8 emphasizes identifying and authenticating access to system components. Implementing strong identity verification and authentication processes is essential in preventing unauthorized system access. Multi-factor authentication (MFA) makes it harder for unauthorized individuals to breach system defenses.

Maintaining accurate logs of access attempts is another crucial aspect of Requirement 8. By documenting and analyzing access patterns, organizations can identify potentially suspicious activity and respond promptly.

Requirement 9: Restrict Physical Access to Cardholder Data

Requirement 9 stipulates the restriction of physical access to environments containing cardholder data. Organizations must implement physical security controls such as surveillance cameras, access cards, and secure entry protocols to limit unauthorized personnel access. These measures aid in preventing data theft and unauthorized physical handling of sensitive information.

Routine physical security reviews and audits help maintain compliance with PCI DSS v4.0. By assessing access controls and environmental security measures, organizations can identify and rectify potential vulnerabilities.

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Requirement 10 focuses on logging and monitoring all access to system components and cardholder data. Organizations must implement logging mechanisms to track access attempts and identify unauthorized activities. Comprehensive monitoring enables the timely detection of security incidents, allowing for prompt responses to potential threats.

Regular audits and reviews of logs help organizations maintain PCI DSS v4.0 compliance. By analyzing access patterns and identifying anomalies, organizations can implement corrective actions to bolster security.

Requirement 11: Regularly Test Security Systems and Processes

The gist of Requirement 11 is regular testing of security systems and processes. Organizations must conduct periodic vulnerability testing and penetration assessments to identify potential weaknesses in their security posture. This proactive approach helps in addressing vulnerabilities before they are exploited.

Ongoing security testing not only ensures compliance with PCI DSS v4.0 but also improves overall resilience against advanced threats. By systematically evaluating their defenses, organizations can implement necessary improvements.

Requirement 12: Support Information Security with Organizational Policies and Programs

Requirement 12 includes developing security policies that guide everyday operations and decision-making processes. Effective policies set clear expectations for behavior and accountability concerning data protection practices.

By instilling a culture of security, organizations align their workforce with PCI DSS v4.0 requirements. Regular training sessions, awareness programs, and policy updates ensure all personnel remain informed and committed to maintaining security standards.

PCI Compliance for Cloud Native Environments with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Kubernetes users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

X