Email Icon
info@urmconsulting.com
Phone Icon
0118 206 5410
Governance, Risk Management and Compliance
|
Information Security
|
PCI DSS 
BLOGS

PCI DSS v4 – Changes at a Glance

|
|
PUBLISHED on
13 Jun
2022

Table of Contents

After several years wait, and to surprisingly little fanfare, the Payment Card Industry Security Standards Council (PCI SSC) released the new version of the PCI Data Security Standard (DSS) on 31 March 2022.  It has been 4 years since the last minor update (v3.2.1) and nearly 9 years since the last major update (v3.0).  Given the ever evolving risks and changes in the security landscape and technologies, it can be argued that the new release is long overdue.  The question is, what has changed and why is this classified as a major update?  So, here’s a brief summary of the key changes.

The Requirements

There have been a lot of minor clarifications, renumbering, and rearranging of the requirements within the Standard to make it flow better and easier to follow.  But there are also approximately 40 new requirements across a variety of areas including:

  • Increased requirements for multi-factor authentication across the scope
  • New requirements mandating the deployment of anti-phishing systems
  • Greatly expanded risk assessment requirements
  • Mandatory deployment of a web application firewall (WAF) for public-facing web applications
  • Change detection on HTTP headers of payment pages.

Customised Validations

This, in URM’s opinion, is what makes this update a major change.  The Council has introduced a completely new way for organisations to validate their PCI compliance status, calling it a ‘customised validation’.  Simply put, this is a new way to meet the intent of any given requirement, but with a control that you design and implement.

This provides your organisation with the flexibility to meet a requirement in a way that best suits you, however, it is not without its drawbacks.  A customised validation requires a great deal of effort from your organisation to design, document, detail, test, and maintain controls, much of which relies on you having a mature risk assessment process embedded within your operations and processes.

In short, customised validations are not for the faint hearted and require a significant resource investment to accomplish correctly, not to mention the increased level of effort required by your QSA to assess each customised validation as being compliant.

Additional Resources

On 7 April 2022, URM held a webinar that outlined some of the key changes within version 4 of the Standard and the implications of those changes. If you would like to access a recording of this webinar, please complete the form below and we will email you a link at the earliest opportunity, i.e. during normal office hours – Monday to Friday, 9 to 5:30.

Read more
Read more
find OUT more on:
PCI
PCI DSS
Payment Card Industry Data Security Standard
Payment Card Industry Security Standards Council
QSA

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Recent blogs
PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture
Planning Your ISO 27001 Audit Programme
Data Protection Considerations for Artificial Intelligence (AI)
PCI DSS v4.0: Network Security Controls
How to Develop a Robust Business Continuity Plan
How URM can help?
Cyber
Rapid Penetration Test Quote

Do you need support in meeting your annual PCI DSS penetration testing requirements? CREST-accredited URM can complete internal and external penetration tests for your organisation.

Read more
Cyber
Do you need support in meeting your annual PCI DSS penetration testing requirements?

As a CREST-accredited penetration testing organisation, URM can complete internal and external penetration tests.

Read more
Consultancy
Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)

Read more
URM regularly holds FREE seminars and webinars on implementing ISO 27001
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
14/3/2023
Preparing For a PCI DSS v4.0 Assessment

URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
22/3/2024
Common Questions When Preparing to Transition to PCI DSS v4.0

URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.

Read more
"
Leanr more about
URM Services
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Jon Coates, Encoded
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
Services
Training
Consultancy
Products
About URM
About URM
URM Data Sheets
Contact URM
URM White papers
Case Studies
URM Blog
Collaboration
Secure File Portal (SFP)
Partner with URM
Subscribe to Mailing List
© Copyright 2024 URM Consulting Services Ltd. All Rights Reserved.
|
Privacy Policy
|
Cookies
|
Terms of Business