Expert Insight: The Changes You Need to be Aware of for PCI DSS 4.0 

by Chaz Lively / March 2nd, 2023

Looking ahead to the looming PCI changes can feel intimidating, but when taken one step at a time, they may be more manageable than you think. There’s still some time before your organization has to completely adopt the PCI DSS 4.0 changes, but if you can start working toward the goal of switching over, your transition can be much smoother.   

Here are a few of the big-picture changes that PCI DSS 4.0 will entail. 

Multi-factor authentication (MFA) requirements have been strengthened. 

MFA is now required for all access to the cardholder data environment to add a level of security.  

Password requirements have been changed.  

Passwords must be changed every 90 days. Organizations must use strong passwords for accounts used by applications and systems; the passwords must contain at least 12 characters, including numeric and alphabetic characters. PCI requires that the passwords be compared against a list of known bad passwords. 

Access privileges must be reviewed at least once every six months. 

Making sure certain individuals, groups, or systems only have access to the data they need to have access to will help secure your organization’s data, and reviewing those privileges more frequently will ensure an added level of security.  

Authenticated vulnerability scans are now required.  

An authenticated scan is when the scan is given a valid account within a client’s application, allowing it to access a deeper degree of information. Unauthenticated is when you do not have a valid account on the application, in other words, the scanner can only cover the network perimeter, limiting the scan’s amount of access. With more access, authenticated scans tend to reveal more information. 

The new standard allows for shared accounts. 

Provided strong management controls are in place for the purposes of accountability, shared accounts are now allowed when they were not before. Some examples of these controls are regularly reviewing the permissions of the shared accounts, using shared accounts only on an exceptional basis, ensuring that actions performed on shared accounts are traceable to an individual, and justifying the use of a shared account using a risk analysis. 

Two new anti-phishing requirements are in place: 
  1. Mechanisms, such as email security services, to detect phishing attempts should be in place. 
  2. Anti-phishing training should be in place. 
All entities must document their PCI DSS scope every 12 months.  

An annual scoping of the cardholder data environment was mentioned in previous versions of PCI DSS, but now the Council has made an annual scoping process a requirement under section 12 and made it a trackable requirement for version 4.0.  A documented scoping exercise will need to be performed annually, or after any significant changes to the in-scope environment (e.g., people, systems, or processes). 

  • In PCI DSS 4.0, both the entity and the assessor now share the burden of validating scope. 
  • New Requirement 12.5 has formalized scoping reviews as part of your annual assessment.  
  • Targeted risk analysis is required. 

For PCI DSS 4.0, a targeted risk analysis must be performed that focuses on a specific PCI DSS requirement(s) because the requirements have flexibility (i.e., how frequently they are performed). Each PCI DSS requirement that provides flexibility must be supported by a targeted risk analysis that is documented and includes: 

  • Identification of the assets being protected 
  • Identification of the threat(s) that the requirement is protecting against 
  • Identification of factors that contribute to the likelihood and/or impact of a threat being realized 
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized 
  • Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed 
  • Performance of updated risk analyses when needed, as determined by the annual review 

In addition to the transition period when PCI DSS v3.2.1 and v4.0 will both be active, organizations have until March 31, 2025, to phase in new requirements that are initially identified as best practices in v4.0. Prior to this date, organizations are not required to validate these new requirements. However, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to their effective date are encouraged to do so.  

After March 31, 2025, these new requirements are effective and must be fully considered as part of a PCI DSS assessment. For more details regarding these changes and a timeline of when these changes will go into effect, take a look at this article from PCI DSS Guide. 

Prepare for PCI DSS Changes with KirkpatrickPrice 

Don’t feel like you have to face these changes alone. KirkpatrickPrice experts are here to help you through all aspects of your compliance journey, including framework changes and new PCI scoping requirements. We are committed to making sure your organization is prepared to face today’s threats confidently. Cardholder data is some of the most valuable data an organization can possess, and we want to make sure you stay on top of PCI DSS standards to best manage that data.  

Connect with a KirkpatrickPrice expert today.  

About the Author 

Chaz Lively is a security professional who has worked in the PCI space for seven years. His work particularly focuses on risk assessment and security policy development. Chaz holds an AWS CCP certification.