facebook noscript

PCI DSS v.4.0 is here. Are you ready?

March 14, 2024
pci-4-featured

The newest evolution of the PCI Data Security Standards (PCI DSS) is almost upon us.

After PCI DSS v4.0 was announced in Q1 2022, companies had two more years left to use the old standard of PCI DSS v.3.2.1. Once it is officially retired on March 31, organizations have just one year to be compliant with PCI DSS v4.0.

If you consider that a typical PCI Assessment can take 3-5 months, that isn't a lot of time.

What changes with PCI DSS 4.0 for payment security?

Here's a handy checklist. A complete list is available here.

PCI DSS 4.0 Security Enhancement Checklist

New security requirements for changing threats

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements
  • ASV Scanning Requirement changes impacting IFrame and redirect integration strategies

Continuous security for constant protection

  • Clearly assigned roles and responsibilities
  • Added guidance for security implementation and maintenance

Increased flexibility to meet security objectives while supporting innovation

  • Allowance of group, shared, and generic accounts
  • Targeted risk analysis to establish activity frequencies
  • New method - a customized approach to PCI DSS

Enhanced validation methods for increased transparency

  • Improved alignment between ROC (Report on Compliance) and SAQ (Self-Assessment Questionnaire)

Background

PCI-DSS 4.0 was shaped by insights from over 200 organizations and 6,000 suggestions and tailored to meet the changing digital threats of modern payment ecosystems. Many changes are due to the payments industry's increased focus on cloud migration, insider threats, and the surge in online commerce exacerbated by the pandemic.

Additionally, PCI-DSS 4.0 is unique in offering the opportunity to achieve compliance via tailored customization to address and accommodate dynamic technologies and diverse implementations. While PCI-DSS continues to be mandated for an organization to perform the expected due diligence, the new 4.0 standard intends to allow companies to consider the “intent” of a PCI DSS objective and account for their unique infrastructure and risk level exposure.

This creates unchartered territories with new questions and more limited precedents. PCI Compliance Assessments are always time-consuming and resource-intensive; these new requirements add an element of uncertainty to successful completion.

Who does it apply to?

Any organization that deals with Credit or Debit cardholder data.

If you:

  • Store
  • Transmit;
  • Process; or
  • Can Otherwise Affect the Security of

Sensitive Credit or Debit card data, you are subject to PCI DSS 4.0 requirements.

In other words, your cardholder data environment (CDE) is in “in-scope,” and you are subject to its guidelines.

There are 4 Levels of PCI Compliance. What are my requirements?

The PCI-DSS payment security standards apply to anyone who works with and is exposed to payment data, cardholder information, and financial accounts. There are separate requirements for merchants and service providers. Service providers are defined as business entities that are not a payment brand but are directly related to the processing, storing, or transmitting of cardholder data on behalf of another organization2.

For Merchants:

PCI Compliance Level
Applicable If You
Requirements to Comply
Level 1
  1. Process >6M Visa or Mastercard, or >2.5M American Express transactions each year; or
  2. Have experienced a data breach; or
  3. Are identified as “Level 1” by a card network (such as Visa or Mastercard)
  1. Onsite assessment as an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), or internal auditor if signed by an officer of the company
  2. Quarterly network scan by Approved Scan Vendor (ASV)
  3. Attestation of Compliance (AOC) for Onsite Assessments
Level 2
Process 1-6M transactions each year
  1. Annual PCI DSS Self-Assessment Questionnaire (SAQ). Click here for a full list of merchant resources.
  2. Quarterly network scan by Approved Scan Vendor (ASV)
  3. Attestation of Compliance (AOC) —to match the SAQ type
Level 3
Process 20K - 1M online transactions each year OR
Process <1M total transactions each year
Same as above
Level 4
Process <20K online transactions each year OR
Process <=1M total transactions each year
Same as above

Source: https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/merchants-need-to-know.html

For Service Providers

Service providers include companies that provide services that affect or may affect cardholder data security. Such services include managed service providers with managed firewalls, IDS / IPS, other services, and hosting service providers.

PCI Compliance Level
Applicable If You
Requirements to Comply
Level 1

Service Providers that store, process, or transmit >300K transactions per year (>2.5M for American Express.)

Also applicable to:

  • All Third Party Processors (TPPs)
  • All Staged Digital Wallet Operators (SDWOs)
  • All Digital Activity Service Providers (DASPs)
  • All Token Service Providers (TSPs)
  • All 3-D Secure Service Providers (3-DSSPs)
  • All AML/Sanctions Service Providers
  • All Installment Service Providers (ISPs)
  • All Merchant Payment Gateways (MPGs)
  • All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300K total annual transactions

Annual PCI assessment resulting in the completion of a Report on Compliance (ROC) completed by a QSA (Qualified Security Auditor)

Quarterly Network Scans performed by the Approved Scanning Provider (ASV)

Annual Penetration Test

Quarterly Local Network Vulnerability Scans

Declaration of Conformity with an Attestation of Compliance (AOC)

Level 2

Service Providers with <300K transactions per year (<2.5M for American Express.)

  • All DSEs2 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually

Also applicable to:

  • All Terminal Servicers (TSs)

Annual Self-Assessment Questionnaire (PCI SAQ) D

Quarterly Network Scans performed by the Approved Scanning Provider (ASV)

Annual Penetration Test

Quarterly Local network Vulnerability Scans

Declaration of Conformity with an Attestation of Compliance (AOC)

Source: https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/service-providers-need-to-know.html

I am an existing VGS customer. What changes for me?

As a result of working with VGS, you are already in good shape with the default descoping of PCI compliance.

To ensure compliance with PCI 4.0:

  • Prevent revealing any sensitive information in any endpoints that aren't part of the integration scope
  • Confirm that appropriate personnel have limited access/roles and responsibilities to protect the data flow further and avoid any changes
  • Ensure a change-and tamper-detection mechanism is deployed.
    • Per PCI DSS v.4.0, “a change- and tamper-detection mechanism is deployed to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.”
    • For VGS Collect/Show: Tamper detection is the responsibility of the customer who is implementing the IFrame. VGS supports this capability by providing the hashes and integration guide.
    • For VGS Mobile SDKs: VGS supports these with a signed library or similar hashes that provide guarantees around tamper detection of the libraries. For the actual integration, VGS would validate that the events registered to the UI elements aren't allowed to bypass the VGS Collect SDK.
  • Perform quarterly network scans by Approved Scan Vendor (ASV).
    • VGS does not currently directly offer ASV services, but we refer our customers to trusted ASV providers with whom we have good relationships. If you are already working with an ASV solution, you can continue working with your existing ASV to complete the scans on your behalf.

If configured correctly, VGS will continue to ensure that no sensitive cardholder data is exposed to your corporate environments.

Integration with VGS provides a solid foundation for minimizing enterprise risk around storing and handling sensitive data. You can use VGS' features to control how and where data is forwarded and eliminate additional compliance burdens while keeping the existing payment data flow out of scope for PCI compliance. The VGS implementation enforces the majority of the PCI DSS requirements that serve as evidence in a PCI assessment.

I need to implement PCI DSS 4.0. What should I be planning?

If you haven't begun, start immediately!

Here is a list of considerations (there are more) to get you started -

Digital Identities and Authentication

  • Passwords: Improved length and complexity and more frequent password changes
  • Expansion of Requirement 8: Clear instructions to confirm who users are and ensure they're really who they say they are
  • Increased limitation and monitoring of vendor and third-party accounts
  • Implementation of Multi-Factor Authentication for all CDE access

Encryption

  • Expanded firewall terminology to support a broader range of technologies
  • Improved management of cryptographic keys and certificates

Continuous Monitoring

  • 6-monthly review of access privileges
  • More frequent data discovery to locate sensitive information in cleartext
  • Annual review and update of security awareness programs

How can VGS help me meet my PCI DSS Compliance needs?

A typical PCI Assessment covers a spectrum of needs across 12 requirements. We have simplified these, and have solutions to match the needs across all the requirements.

Typical PCI DSS v4.0 Scope
VGS Solution
1. Identify all payment channels and methods for accepting CHD, from the point where the CHD is received through to the point of destruction, disposal, or transfer.
Configure all routes for aliasing/revealing inbound/outbound sensitive data.
2. Document all CHD flows, and identify the people, processes, and technologies involved in storing, processing, and/or transmitting of CHD. These people, processes, and technologies are all part of the CDE.
Configure access and assign roles and limits to all VGS Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow.
3. Identify all processes (both business and technical), system components, and personnel with the ability to interact with or influence the CDE. These people, processes, and technologies are all in scope, as they have connectivity to the CDE or could otherwise impact the security of CHD.
Minimize the scope and system components that directly interact with SAD. VGS essentially becomes the CDE.
4. Implement controls to limit connectivity between CDE and other in-scope systems to only that which is necessary.
Provide granular support to enforce connectivity limitations.
5. Implement controls to segment the CDE from people, processes, and technologies that do not need to interact with or influence the CDE.
Implement all applicable PCI DSS requirements.
Configure access and assign roles and limits to all VGS Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow.

VGS offers MFA-capable authentication or leverages your organization's enterprise IDP.
6. Identify and implement PCI DSS requirements as applicable to the in-scope system components, processes, and personnel.

Maintain and monitor.
Provide expert guidance on all the controls that need to be enforced by the customer internally.
7. Implement processes to ensure PCI DSS controls remain effective day after day.
Provide granular support to make any additional updates to an existing SAD data flow while maintaining an annual level of compliance.
8. Ensure the people, processes, and technologies included in scope are accurately identified when changes are made.
Configure access and assign roles and limits to all VGS Dashboard users with access to make any changes to the SAD (Sensitive Authentication Data) data flow.

Read more about ASV scans and tamper-detection support in the Existing Customer section above.

While people who participate in storing, processing, or transmitting cardholder data are part of the CDE, when implementing segmentation for PCI DSS scoping, these people do not have to be segmented or isolated from people who are outside of the CDE.

This is because the processes and technologies put in place to implement and maintain the segmentation also ensure that people in the CDE are the only ones with the requisite access.

Partnering with VGS

When customers partner with VGS, we provide them with a Responsibility Matrix, along with the breakdown and impact of the changes. This approach allows customers to establish a clear-cut plan internally, identify who is doing what by when, and leverage VGS expertise to minimize the compliance burden.

VGS provides PCI Compliance subscriptions and access to our knowledgeable list of preferred QSAs to perform an Audit, provide an AOC, and reissue an SAQ annually. VGS can also work with your preferred QSAs.

What are my next steps?

  • Understand your organization's scope and team priorities to see if you have the time and resources needed to do this in-house by your annual assessment deadline.
  • Plan out the most efficient way to meet the PCI DSS 4.0 requirements now and every quarter forward
  • Contact us to see how we can help with your PCI compliance needs and prepare you for v.4.0.

PCI DSS 4.0 can feel daunting, but it doesn't have to be. The VGS Vault securely stores payment data, enabling organizations to descope their environments and fortify their security posture. We ensure that customers are confidently and constantly on top of changing PCI-DSS requirements, including for 4.0. Plus, we can recommend QSAs or work with your existing QSA to ensure a successful PCI audit that protects your data according to the latest regulations.

Read more about PCI Compliance with VGS here.

Ready to learn more? Contact Us here

Resources

  1. https://stripe.com/guides/pci-compliance
  2. https://pcidssguide.com/what-are-pci-service-provider-compliance-levels/
Senior Director of Product Marketing Khyati Srivastava

Sr Director, Marketing

stu-cianos-headshot Stu Cianos

Director, Security & Compliance

Share

You Might also be interested in...

migrating-java17-featured

Java Evolution: Unlocking Performance and Efficiency from Java 8 to 17

Oleksandr Ahitoliev March 18, 2024

aws-competency-partner

VGS is Now An AWS Financial Services Competency Partner

Khyati Srivastava February 26, 2024

gaming-2-featured

Leveling Up Your Payment Strategy to Win as a Video Gaming Company

Khyati Srivastava February 21, 2024