PCI DSS v4.0: The Transition Phase Is Over. What Will Change for You?

On March 31, 2024, the previous version 3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS) expired. While companies were able to decide for themselves which version of the standard to base their PCI assessment on during the two-year transition phase, the guideline has been clear: since April 1, 2024, all assessments for the annual review of PCI DSS compliance must be carried out in accordance with version 4.0.

Are you facing your first PCI DSS v4.0 assessment this year? Are you wondering what will change for you? In this blog post, we give you a brief overview:

Are PCI DSS v4.0 assessments different?

No, the assessment process remains essentially the same. Planning, conducting and dealing with findings will not change with the new version. Our assessors will continue to start with a kick-off and may request initial documents as part of the assessment planning before the actual assessment is carried out. Assessments may continue to be carried out remotely, provided the environment under assessment allows it.

Most of the changes can be found in the relevant documentation, the evidences and, of course, in the requirements themselves.

Update of RoC and AoC

After successful completion of the assessment, your QSA will create a "Report on Compliance" (RoC) and an "Attestation of Compliance" (AoC) for you to prove compliance with the PCI DSS. These two documents have been revised as part of the new version 4.0, but their structure has remained the same. Your PCI assessor is already using the new templates, so there is no need for you to familiarize yourself with the revised documents.

More detailed evidence required

The RoC describes how the individual PCI DSS requirements are implemented in your company, i.e. the security situation, the environment, the systems and the protection of cardholder data in your company. It also documents how the PCI assessor proceeded when checking the respective requirement.

PCI DSS v4.0 will require more detailed evidence in the RoC from now on. Confirmation of compliance will no longer be sufficient, but references to specific configurations, screenshots or documentation will also be required. Example: While it was previously sufficient for your assessor to confirm that your company complies with the requirement for a minimum password length, the PCI DSS v4.0 RoC now requires proof that this is enforced.

New requirements

A total of 64 new requirements were introduced with version 4.0. Only a comparatively small number, specifically 13 requirements, have become mandatory as of April 1, 2024. These must be implemented in time for your next assessment if they have not already been implemented.

The remaining new security requirements in PCI DSS v4.0 are marked as "future-dated". The PCI Council has granted an additional year to implement these requirements. However, these must also be fully implemented as described in the standard by March 31, 2025 at the latest. Until these requirements officially come into effect, they count as best practice.

What does this mean for you? Your PCI assessor will discuss the status of implementation in the next assessment, but will only document recommendations rather than a finding in the event of non-compliance or insufficient compliance. While this might sound reassuring for now, we recommend that you start reviewing and implementing future-dated requirements in good time, as some of these will require quite some effort and have significant consequences.

The following future-dated requirements, for example, require extensive implementation:

• Requirement 3.5.1.2: Disk encryption is only acceptable for removable media
• Requirement 3.5.1.1: Hashing of PANs must use keyed cryptographic hashing algorithm
• Requirement 3.4.2: Prevention of PAN copying while using remote-access technologies
• Requirement 6.4.3, 11.6.1: Payment Page protection
• Requirements 7.2.5, 7.2.5.1, 8.6.1-3, 10.2.1.2: Handling of technical accounts