Search
Close this search box.

What’s new in the PCI DSS v4.0?

There were many changes incorporated into the latest version of the Standard. Below are examples of some of those changes. For a comprehensive view, please refer to the Summary of Changes from PCI DSS v3.2.1 to v4.0, found in the PCI SSC Document Library.

Some of the goals of these changes include:

Continue to meet the security needs of the payments industry.

Why it is important: Security practices must evolve as threats change.

Examples:

  • Expanded multi-factor authentication requirements.
  • Updated password requirements.
  • New e-commerce and phishing requirements to address ongoing threats.
Promote security as a continuous process.

Why it is important: Criminals never sleep. Ongoing security is crucial to protect payment data.

Examples:

  • Clearly assigned roles and responsibilities for each requirement.
  • Added guidance to help people better understand how to implement and maintain security.
Increase flexibility for organizations using different methods to achieve security objectives.

Why it is important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.

Examples:

  • Allowance of group, shared, and generic accounts.
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.
Enhance validation methods and procedures.

Why it is important: Clear validation and reporting options support transparency and granularity.

Example:

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

The following guides may be useful to you:

Leave a Reply

Your email address will not be published. Required fields are marked *