As of March 31, 2024, organizations in the payments industry will need to comply with all new PCI DSS v.4.0 requirements. Find out what the new obligations will be, how to tie them into your enterprise, and how Fortra can help.
For many organizations, 2024 will be a big year. Aside from focusing on increasing revenues, market share, and demand, there will also be a big focus on compliance.
In Fortra’s 2024 State of Cybersecurity Survey, compliance was cited as one of the top three initiatives. In that same survey, 91% of respondents feel they know what to do. This is encouraging, and hopefully a sign that frameworks that include clarifying language and more prescriptive guidance are easier to understand and implement.
This is certainly the case with PCI DSS v4.0, which has been in a transition period since 2022. However, on March 31 the transition period ended, and security teams should be fully moved over to version 4.0 by March of 2025.
Themes in PCI DSS v4.0 Compliance
It’s been two decades since the PCI Security Standards Council (PCI SCC) created the first set of requirements to protect cardholder data. PCI DSS v4.0 represents a significant shift in how organizations maintain compliance.
Over 200 organizations contributed to the latest version, which includes changes to ensure requirements keep pace with the evolution of the threat landscape, clarifying language to increase understanding of a topic, and reorganizing structure.
In total, there are 64 new requirements. Within these, four themes have emerged, which are outlined below:
Goal | Purpose | Examples of Changes in 4.0 |
Continue to meet the security needs of the payment industry
| Keep pace with evolving threats to digital transactions
|
|
Promote security as a continuous process
| Move from point-in-time compliance to ongoing monitoring and threat management |
|
Add flexibility for alternative methodologies
| Leverage innovative methods to achieve outcomes
|
|
Enhance validation methods and procedures
| Discourage criminal actors from fraud attempts |
|
A full list of the requirements can be found on PCI Standards Council document library.
It’s 2024: What Should I Focus on for PCI Compliance?
In the Fortra survey mentioned earlier, 63% of respondents said they were on track to meet their compliance efforts (which include efforts to reach PCI DSS v4.0). To the 37% that needed help, you should be aware that the majority of the 64 new requirements are only best practices until March 31, 2025.
In fact, for any assessments after March 31, only 12 requirements are mandated, as outlined below:
2.1.2 | 3.1.2 | 4.1.2 | 5.1.2 |
6.1.2 | 7.1.2 | 8.1.2 | 9.1.2 |
10.1.2 | 11.1.2 | 12.3.2 | 12.5.2 |
12.9.2 (Service Providers Only) |
|
|
|
This may seem like a lot, but 10 of these are around documentation and communication of assigned roles and responsibilities.
Additionally, a PCI DSS Prioritized Approach has been introduced, which helps organizations know where to start. It consists of the following six tenants, as generally described below:
- Do not store any unnecessary authentication data
- Protect network and system access points
- Secure payment applications
- Control access to your systems
- Protect all stored cardholder data
- Comply with industry standards and ensure all controls are in place
The most sweeping changes revolve around authentication and data encryption, especially as the payments industry has moved to the cloud. Now, multi-factor authentication is required for all accounts accessing cardholder data, not just administrators accessing the environment, and expanded encryption is now required on even trusted networks.
Check out this video for more tips on how to prepare: How to Prepare for PCI DSS 4.0
Closing Advice
The new requirements in PCI DSS v4.0 compliance represent major changes. We would recommend an assessment if you haven’t done one recently to identify the current state of your PCI controls, processes, and documentation. Once you have identified your gaps, you can create a plan to address them.
Also, understand that you don’t have to do this alone as Fortra has the resources to help. Make Fortra your relentless ally as you leverage our tools, talent, and resources to help you stay PCI DSS 4.0 compliant. Download this Fortra guide to brush up on PCI DSS 4.0 changes and compliance requirements.
Managed File Transfer Can Support PCI DSS File Transfer Requirements
Fortra’s GoAnywhere MFT, a secure file transfer solution, can make complying with PCI DSS, as well as other compliance mandates such as HIPAA and GDPR, easier. The robust solution provides for auditable, centralized and automated file transfers and includes these benefits:
- Secure connections for transmitting sensitive data
- Detailed audit logs and reporting
- Encryption of data in motion as well as at rest, including encryption key management
- Keeps PCI data out of the DMZ
- Ports into the private network are closed, to help prevent intrusion
In addition, GoAnywhere’s automation and security functionality can help reduce costly human errors in handling PCI-related data.
See How MFT Can Help You Comply with PCI DSS 4.0
Download this PCI compliance white paper to learn more. Or schedule a demo to learn how MFT can help ease your PCI DSS requirement needs.
