Guides and reports

PCI DSS compliance v4.0: Your requirements checklist

What is the latest version of PCI DSS? Helen Huyton, Merchant Data Security Analyst at Adyen, gives an update on the changes to PCI DSS that was released on 31 March 2022, the differences between v3.2.1 and v4.0, and how to become PCI compliant.

Helen Huyton, Merchant Data Security Analyst · Adyen

24 August, 2021

· 6 minutes

Topics

Guides and reports Understand payments Optimise payments Make compliance easy Data and insights E-commerce

Disclaimer: This article should be used only for guidance purposes and shouldn’t be taken as definitive advice. Always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions per year.

PCI DSS v4.0 was released on 31 March 2022 and will come into effect in March 2024. We are working hard in the background to do a full assessment of the new standard. Adyen customers will be informed accordingly of any key changes, but for the time being the below information remains accurate and up to date.

From Cerberus, the mythological dog that guarded the gates of the Underworld, to the Federal Reserve Bank of New York’s ninety-ton steel vault of gold, it’s safe to say that maintaining good security standards has always been good business. And when it comes to data security, the benefits of staying up to date with PCI compliance are nothing short of invaluable. You don’t even need a three-headed dog to do it.

But first, a quick recap.

While a new version of PCI DSS, PCI DSS v4.0, will come to effect in March 2024, it's key to understand what PCI DSS v3.2.1 entailed before diving into the changes. Here's a quick refresh of the previous PCI standard, and then we'll cover everything you need to know about PCI DSS v4.0.

PCI DSS is a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of MasterCard, Visa, American Express, JCB, and Discover. Currently, 12 core requirements make up the PCI DSS.

Any organization that interacts with the Cardholder Data Environment (CDE) – collecting, processing, storing, or transmitting account data – must comply with PCI DSS directly or through completing an annual assessment independently or together with your QSA. While it is not part of any law, the standard is applied around the world. Failure to meet PCI DSS may result in breaches, fines, or termination of credit card processing privileges.

Previous feedback suggested that the decimal points in “PCI DSS v3.2.1” were getting a little out of hand, and it was time for a rebrand. Just kidding. While the 12 core PCI DSS requirements remain fundamentally the same, the changes for PCI DSS v4.0 are to ensure account data is properly protected, and that businesses are clear on their responsibilities in making that happen.

As technology evolves, so do the attack tactics and capabilities of bad actors trying to compromise systems. There has also been an uptick of adoption digital wallets or contactless payments in Australia that kickstarted during the COVID-19 pandemic, and snowballed from there. More needs to be done to ensure the protection of account data.

That's where PCI DSS v4.0 comes in. The new guidelines are aligned with the latest changes and developments in the security landscape, while providing clearer guidance for businesses to follow.

The PCI Security Standards Council guided the creation of version 4.0 with four objectives. They are:

To ensure the standard continues to meet the security needs of the payments industry
To add flexibility and support of additional methodologies to achieve security
To encourage businesses to view security as a continuous process
To enhance validation methods and procedures to be more robust

PCI DSS v4.0 includes an expansion of requirements in developing security and technology areas, including mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.

With PCI DSS v4.0 in effect, here are some best practice tips to help you get all your security ducks in a row:

Don’t use preset usernames, passwords, or factory settings
Use strong passwords and unique user IDs – at least 7 character passwords (numeric, alphabetic, and special characters)
Stay up to date with new software patches as soon as they’re released

If you maintain your compliance and keep control of your environment, you'll be well placed to meet PCI DSS v4.0 requirements. Remember, you can always check in with us for guidance. Our experts are more than ready to help you with the PCI DSS v4.0 requirements.

Implementing PCI DSS compliance in your business can seem intimidating, especially if you don't have an existing framework to properly protect account data.

To help reduce the scope of your PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements for you:

• Our Web Drop-in or Components renders the available cards in your payment form, and securely collects any account data and sensitive card information, so it doesn't touch your server

• For a point-of-sale integration, you can use our default End-to-End Encryption (E2EE) solution

While you’ll still need to secure account data before it reaches us, we’re always here to help guide you in the right direction – so be sure to reach out if you have any questions in the meantime.

What are the 12 requirements of PCI DSS?

Before we dive into the 12 requirements of PCI DSS, it's important to understand what are the six guiding principles of the PCI SSC. All 12 requirements are linked to one of the six principles.

Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

The main focus of the 12 requirements set by PCI SSC is to protect card data of users. They are:

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

Find out more about the 12 requirements right here.

Is PCI compliance required by law in Australia?

PCI compliance is not required by law in Australia, nor in other markets. However, credit card providers enforce compliance through their contracts to ensure that the PCI DSS standard is met.

About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.