10 Steps to Prepare for PCI DSS v4.0

If you’re with an organization that is currently PCI-certified, or planning to get certified for the first time, chances are you’re well aware that PCI DSS v4.0 has arrived, necessitating careful planning and dedicated resources for transition. Organizations must fully comply with the new standard no later than March 2025, so the time to prepare for PCI DSS v4.0 is now. Regardless of if it’s your first PCI DSS assessment or if you’re familiar with the process, compliance requires continuous commitment. Both the assessor and the entity being evaluated should have a security and audit-focused mindset, involving various departments.

PCI DSS is a global standard created to ensure consistent data security measures globally, particularly for payment card account data. The transition from v3.2.1 to v4.0 is a significant update with substantial changes to compliance requirements. Understanding these changes is critical before undergoing a PCI DSS v4.0 assessment.

At a glance, the PCI DSS v4.0 has four primary goals as listed below. As it relates to both merchants and service providers or other entities that are required to comply with PCI DSS, it is important to recognize these goals before going into a PCI DSS v4.0 assessment.

• Continue to meet the security needs of the payment industry
• Promote security as a continuous process
• Add flexibility for different methodologies
• Enhance validation methods

Whether you have conducted PCI DSS assessments in the past on v3.2.1 or are performing an assessment with a QSA for the first time on v4.0, we recommend the following 10 steps to prepare for PCI DSS v4.0:

1. Start Now and Understand the New v4.0 Requirements

Familiarize yourself with the PCI DSS requirements and how they apply to your organization. You should understand which of your systems fall into the scope of PCI DSS.

It is important to understand what changes have been made in the new version, and the PCI Council has a public document that outlines each of the changes: A Summary of Changes – PCI DSS v3.2.1 to v4.0

Below is a high-level list of the major changes from v3.2.1 to v4.0. While this does not encompass all of the changes, it is important to remember that your scope may affect the applicability of requirements that your organization must be compliant with. Additionally, most of the new requirements do not need to be implemented until March 31, 2025.

• Defining roles and responsibilities for all critical PCI areas
• Multi-Factor Authentication (MFA) is now required for all access into the Cardholder Data Environment (CDE)
• User access reviews at least every six months
• Integrity of payment page scripts
• Anti-phishing training and controls
• Authenticated internal vulnerability scanning
• PCI DSS scope is documented and confirmed by the entity annually for merchants and every six months for service providers
• Allowance of shared or generic accounts, but must be appropriately monitored, tracked, and approved
• Keyed cryptographic hashing on PAN storage

2. Identify the Scope

Identify all locations and systems that are directly involved in processing, storing, or transmitting cardholder data, systems connected to these, and systems that could impact the security of cardholder data. Ensure that all locations are secure and that cardholder data is not stored unless absolutely necessary. Identifying your PCI DSS scope includes, but is not limited to the following:

Cardholder Data Flows and Associated Components	All systems and processes where cardholder data (CHD) is transmitted, processed, or stored. This can include but is not limited to network devices, servers, workstations, payment applications, POI devices, CHD repositories, and service provider platforms.
Payment Channels	Processes for handling and/or accepting payments such as card-present transactions, card-not-present/e-Commerce transactions, and mail-order/telephone-order (MOTO).
Networks & Connected Systems	Systems indirectly associated with cardholder data, connected to the cardholder data environment (CDE), or that can affect the security of the CDE such as security systems, logging servers and SIEM solutions, authentication servers and services, VPN appliances, VoIP systems, and other supporting network devices.
Third parties / Vendor-Managed Services	Third-party services that influence the security of the CDE, like payment gateways or cloud service providers.
Physical Locations	Locations with physical access to CDE components or areas that could affect the security of the CDE, such as data centers or server rooms.
People and Processes	People, processes, and policies that are managing in-scope components or could affect the security of cardholder data.
Virtual Components	Virtual components such as virtual machines, virtual applications, and virtual desktops involved in, connected to, or influencing the security of cardholder data.
Hard-Copy Materials	Areas/departments handling hard-copy materials of CHD including physical recording, storage, transportation, and secure destruction.

3. Document, Document, Document!

Ensure all your policies, procedures, and processes are well-documented and implemented correctly. These are critical for evidence throughout the assessment. Regularly update this documentation to reflect changes in your environment. During this step, you should also evaluate all controls and configurations set within the applicable system components in the environment to ensure strong security measures are in place.

4. Hire a QSA

Qualified Security Assessors (QSAs) can provide expert advice and guidance during the transition process. They can help you understand the new requirements, validate your scope, perform a readiness/gap assessment to identify any issues in your current controls, and provide recommendations for how to address these gaps.

We recommend hiring a QSA, such as our high-performing team of QSAs at CompliancePoint, to help you from here on out for performing a gap analysis/readiness assessment to evaluate the current state of your environment. We as QSAs can also conduct a full PCI DSS assessment to determine your official compliance status. QSAs are trained by the PCI Security Standards Council to conduct full PCI DSS assessments. CompliancePoint is a QSA company, and we can assist you in these efforts.

5. Perform a v4.0 Readiness/Gap Analysis or Self-Assessment

Before the actual assessment, it is advisable to perform a readiness/gap assessment against the PCI DSS v4.0 requirements or a self-assessment using the Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council (for those with a reduced scope) to ensure the scope is validated, and to help you understand your status against the PCI v4.0 requirements as well as identify any areas of non-compliance against v4.0. CompliancePoint can perform this readiness/gap assessment or perform the SAQ for you. It is important to speak with your acquirer or other entity that you are reporting PCI compliance to, to ensure that you are aware of your merchant level or service provider level, or any other provisions/restrictions that they have established.

6. Remediation

Following the readiness/gap analysis or self-assessment, take action to remediate any identified compliance issues in your environment, which may involve policy and procedure updates, alterations in network architecture, device or OS configuration changes, updating security controls, or implementing new processes to comply with PCI DSS v4.0. After implementing changes, conduct both internal and external testing and review all documentation to validate functionality and compliance.

7. Education, Training, and Awareness

Make sure that everyone in your organization is aware of the PCI DSS requirements and understands the role they play in maintaining compliance. This could involve training sessions, awareness programs, workshops, or even just a series of emails/meetings to keep everyone informed.

8. Perform the Full PCI DSS Assessment

Once you are at this step, you are ready to perform the full PCI DSS assessment against the v4.0 requirements. This compliance assessment could be performed on your own if it’s an SAQ (type dependent on your scope) or performed by a QSA. If the assessment is performed by a QSA, a Report on Compliance (ROC) or an SAQ can be delivered. The full assessment will cover everything from planning and scope validation to fieldwork (interviews, observations, walkthroughs, evidence review) to reporting and QA. The PCI Council is already accepting ROCs for v4.0, and v3.2.1 will be deprecated on March 31, 2024. After this date, ROCs and SAQs on v3.2.1 will no longer be accepted.

9. Final Remediation and Completion

Address any remaining compliance issues that may have come up from the full PCI DSS assessment. As it relates to v4.0 requirements, it is important to note that some of the new requirements must be implemented immediately and others have a grace period until March 31, 2025. As part of completing a PCI DSS assessment, the entity being assessed will also receive an Attestation of Compliance (AOC) that can be provided to third parties displaying the compliance status of the environment assessed. It’s important to note that the AOC is a key document that may be required by an acquiring bank or card brand to confirm an organization’s PCI DSS compliance status.

10. Prioritize Security and Compliance as a Continuous Process and Perform Ongoing Maintenance and Monitoring

Both security and compliance, including PCI DSS compliance, should be treated as a continuous effort, not a one-time process. Regularly review, update, and monitor your security controls, particularly when altering networks or processes. Aim not just for compliance, but for strong security controls as well. Maintain vigilance and remain proactive in addressing concerns that arise, and continually ensure controls remain effective and are performed based on required frequencies, even after the PCI v4.0 compliance assessment is completed.

These actions offer a broad roadmap to help you prepare for PCI DSS v4.0. Nevertheless, each organization has its own unique circumstances, so your preparation strategy should be customized to your specific requirements and capacities. If you’re currently working with a Qualified Security Assessor already, please consult them for specific advice on how to prepare for PCI DSS v4.0.

Lastly, the PCI Council has also released additional guidance for transitioning to PCI DSS v4.0 that can be an excellent resource, which can be found here: Moving to PCI DSS v4.0 – PCI Council Guidance.

CompliancePoint can help your organization with all its PCI certification needs. Our offerings span a wide spectrum, including readiness/gap assessments (consulting/non-attest) to comprehensive compliance evaluations (attestation), and all services in between. Contact us at connect@compliancepoint.com to get started.

To learn more about executing a successful transition, watch our Preparing for PCI DSS v4.0 webinar.