Three women sit around a desk working, the woman in the foreground has a laptop open.

What Businesses Need to Know About PCI DSS 4.0 Compliance

PCI DSS 4.0 requirements are more flexible than their predecessors

After several years of Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1, the PCI Security Standards Council (PCI SSC) has laid out a new set of requirements businesses must meet to show clients their commitment to security: PCI DSS 4.0. The PCI DSS 4.0 release date was March 31, 2022, but worry not: Businesses have plenty of time to meet the new standard without fear of non-compliance. PCI DSS 3.2.1, the current standard, will phase out on March 31, 2024, and organizations have until March 31, 2025, to fully meet PCI DSS 4.0 requirements.

That said, the earlier your business begins to address the new standard of compliance, the smoother the transition will be. Plus, getting a jump on PCI DSS 4.0 demonstrates to clients how zealously you guard their sensitive information. Here’s what you need to know to meet this new standard.

Jump to a section…

What Is PCI DSS 4.0 Compliance?

How Is PCI DSS 4.0 Different from 3.2.1?

Defined Approach: 12 Revised PCI DSS 4.0 Requirements

Customized Approach

How DuploCloud Can Help

What Is PCI DSS 4.0 Compliance?

PCI DSS 4.0 is a set of 12 security standards businesses must meet when accepting, transmitting, processing, and storing credit card data. The PCI SSC created this new benchmark of security based on over 6,000 pieces of feedback provided by more than 200 organizations. It has four new high-level goals:

  1. Add flexibility and support of additional methodologies to achieve security
  2. Promote security as a continuous process
  3. Enhance validation methods and procedures
  4. Ensure the standard continues to meet the security needs of the payments industry

What do these goals mean? Simply put, they mean stronger authentication requirements in pursuit of a Zero Trust framework. All users, whether inside or outside the network, must be authenticated and authorized before gaining access. Once they have access, their security procedures and controls must be continuously validated to maintain it.

At the same time, 4.0 recognizes the ever-changing nature of cybersecurity. Whereas 3.2.1 and previous standards dictated specific controls and technologies that had to be employed by all businesses, 4.0 allows businesses to employ innovative and emerging cybersecurity solutions — provided a PCI assessor tests and approves each solution. This grants organizations greater flexibility when meeting the standard.

If you’re looking to make the compliance process easier, DuploCloud is here to help. We built our tools and controls with PCI DSS in mind, and our robust automation reduces the chances of human error in cloud deployment. Read our whitepaper to learn more.

New call-to-action

How Is PCI DSS 4.0 Different From 3.2.1?

The expanded flexibility of PCI DSS 4.0 can be confusing, both for organizations new to compliance and for veterans looking to update. There are two approaches to achieving compliance: the defined approach and the customized approach. Both require a PCI DSS expert assessor to review the resulting security protocols and systems.

Defined Approach: 12 Revised PCI DSS 4.0 Requirements

Businesses that have achieved PCI DSS compliance in the past will be familiar with the defined approach. This is the prescriptive method for compliance that has been used in the past. It includes specific tools and controls recommended by the PCI SSC that, when implemented correctly, guarantee compliance. It’s built upon a revised collection of the 12 PCI DSS requirements:

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.
  3. Protect stored account data.
  4. Protect cardholder data with strong cryptography during transmission over open, public networks.
  5. Protect all systems and networks from malicious software.
  6. Develop and maintain secure systems and software.
  7. Restrict access to system components and cardholder data by business need to know.
  8. Identify users and authenticate access to systems components.
  9. Restrict physical access to cardholder data.
  10. Log and monitor all access to system components and cardholder data.
  11. Test security of systems and networks regularly.
  12. Support information security with organizational policies and programs.

Each of these requirements has several sections nested within that provide specific directives for meeting compliance requirements. Additionally, organizations that follow the defined approach can use compensating controls if they have a legitimate and documented technical or business constraint preventing them from meeting a defined approach requirement. For instance, if your business has legacy systems that can’t be updated, you can use compensating controls to meet compliance requirements.

For the full list of requirements and nested sections, businesses can visit the PCI DSS 4.0 resource hub maintained by the PCI SSC or download the standards document itself from the PCI SSC document library.

The defined approach is recommended for organizations that already have controls in place to meet requirements from 3.2.1 and are comfortable with their current control validation methods. It’s also a useful framework for startups and other young businesses first wading into PCI DSS compliance because it provides specific guidance for achieving compliance.

Customized Approach

One of the major changes in PCI DSS 4.0 is the option to achieve compliance through the customized approach. This allows organizations to employ newer technology or other innovative approaches to security without jeopardizing their compliance status. Using the customized approach, a business can consider the intent of each of the 12 objectives and design its own security solutions to meet it.

The customized approach usually requires more initial effort to design controls and ensure they are properly implemented, documented, and able to be assessed accurately. It also requires close collaboration with your business’s PCI assessor, as both parties must fully understand the controls and the tests the assessor designs in response. Organizations with pre-existing robust security processes and mature risk management practices are most likely to succeed using the customized approach. The PCI SSC recommends businesses consult with its payment brands before choosing the customized approach.

How DuploCloud Can Help

Whether you’re aiming to upgrade from PCI DSS 3.2.1 to 4.0 or looking to leapfrog 3.2.1 and begin your compliance journey with 4.0, DuploCloud’s all-in-one DevSecOps Automation platform can help. We built our low- and no-code cloud deployment tools with PCI standards in mind. That means security controls and PCI compliance requirements can be implemented faster than manual deployment and with minimal risk caused by human error. The platform also comes with the documentation necessary to undergo a PCI DSS assessment with confidence. For more information, read our whitepaper.