PCI DSS 3.2 vs. 4.0—Understanding the Difference and How to Prepare for the Updated Version
Published 01/22/2024
Originally published by BARR Advisory.
Written by Kyle Cohlmia.
The 2023 Verizon Payment Security Report (PSR) found that fewer than half of organizations are able to maintain sustainable control environments. According to the PSR, this statistic demonstrates that too many organizations don’t have the knowledge or expertise to measure the strength of their Payment Card Industry Data Security Standard (PCI DSS) programs effectively.
PCI DSS is a framework that serves as a baseline protection for consumers, helping to reduce fraud and data breaches throughout the entire payment process. In 2022, the framework released PCI DSS 4.0—updated from the previous version, PCI DSS 3.2. The main goal of PCI DSS 4.0 is to evolve and adapt the standard to meet the changing needs of the payment card industry.
Version 4.0 was created by gathering feedback from over 200 organizations. The input from these organizations included the following themes:
- Ensuring the standard continues to meet the security needs of the payments industry;
- Promoting security as a continuous process;
- Enhancing validation methods and procedures; and,
- Adding flexibility and support of additional methodologies to achieve security.
Let’s take a look at PCI DSS 4.0 and how the updated version can help your organization maintain a sustainable control environment and strengthen your security program.
Comparing PCI DSS 3.2 with 4.0—What’s Changed?
While the 12 primary PCI DSS requirements from the 3.2 version will continue to be the core foundation for securing cardholder data under the PCI DSS framework, these requirements have been updated, restructured, and new requirements have been added to offer guidance on how security controls should be used. Major changes to the requirements include:
- Additional authentication controls, including strict multi-factor authentication (MFA) requirements when accessing the cardholder data environment;
- Updated password requirements, including increasing password length requirements from eight to 12 characters;
- Changing requirements around shared, group, and generic accounts;
- Clearly defined roles and responsibilities needed for each requirement; and,
- New requirements to prevent and detect ongoing threats against the payment industry, including phishing, e-commerce, and e-skimming attacks.
Other significant changes from PCI DSS 3.2 to 4.0 include the following:
Focus on Security Outcomes
- PCI DSS 3.2: Primarily focuses on prescriptive security controls, offering detailed instructions on what organizations should do to remain compliant.
- PCI DSS 4.0: Emphasizes security outcomes, allowing businesses more flexibility in choosing the best security approaches for their environment.
Stronger Authentication Methods
- PCI DSS 3.2: Introduces MFA for personnel with non-console administrative access and all remote access to the cardholder data environment.
- PCI DSS 4.0: Expands on MFA by reinforcing the importance of secure authentication and recognizing the evolving landscape of authentication methods.
Continuous Security
- PCI DSS 3.2: Compliance is viewed from a point-in-time assessment.
- PCI DSS 4.0: Encourages continuous security and monitoring, highlighting that compliance is an ongoing process, not just an annual audit.
Additional Clarity on Encrypted Data
- PCI DSS 3.2: Addresses encrypted cardholder data but provides limited guidance on its management when the decryption keys are held separately.
- PCI DSS 4.0: Offers more precise guidance on managing encrypted data, emphasizing the importance of protecting it even if decryption capabilities are out of reach.
Greater Vendor Responsibility
- PCI DSS 3.2: Outlines requirements for service provider responsibilities.
- PCI DSS 4.0: Extends service provider responsibilities, encouraging vendors to maintain a documented description of cryptographic architecture and increasing oversight on change management processes.
Enhanced Focus on Cryptographic Architecture
- PCI DSS 3.2: Organizations must keep a list of weak or unacceptable cryptographic algorithms.
- PCI DSS 4.0: Urges organizations to maintain a documented description of the cryptographic architecture, offering a broader perspective on encryption, decryption, and key management processes.
Customized Implementation for PCI DSS 4.0
Another significant change to PCI DSS is the implementation of a new, customized method for meeting requirements. This customized approach to PCI DSS provides organizations with the flexibility to meet the security objective requirements using new technology and innovative controls.
This change encourages organizations to adjust their implementation process in a way that fits their unique control environment. During a PCI DSS engagement, a third-party assessor will validate that the customized controls meet the PCI DSS requirements by reviewing an organization’s unique documented approach and developing a procedure for validating the controls.
Transitioning to PCI DSS 4.0
Until March 31, 2024, PCI DSS 3.2 will remain active, and additional requirements will be considered best practice until March 31, 2025—meaning there’s still time to transition to the 4.0 version.
Organizations are not required to validate these new requirements. However, if your organization has implemented controls to meet PCI DSS 4.0, you’re encouraged to have them assessed as soon as possible.
We encourage you to review the changes in the official PCI DSS 4.0 document from the PCI Security Standards Council (SSC) to fully understand the changes and what steps you need to take to be prepared for and implement version 4.0.
Related Articles:
Modern Day Vendor Security Compliance Begins with the STAR Registry
Published: 12/20/2024
Texas Attorney General’s Landmark Victory Against Google
Published: 12/20/2024
Winning at Regulatory Roulette: Innovations Shaping the Future of GRC
Published: 12/19/2024
The EU AI Act and SMB Compliance
Published: 12/18/2024