First of All, PCI 4.0 will not remove the previous version (3.2.1) it will enhance the PCI standard (this information is from the “At a Glance” document at www.pcisecuritystandards.org)
What is New in PCI DSS v4.0?
There were many changes incorporated into the latest version of the Standard. Below are examples of some
of those changes. For more details refer to the Summary of Changes from PCI DSS v3.2.1 to
v4.0, found in the PCI SSC Document Library.
Continue to meet the security needs of the payments industry.
Why it is important: Security practices must evolve as threats change.
• Expanded multi-factor authentication requirements.
• Updated password requirements.
• New e-commerce and phishing requirements to address ongoing threats.
Promote security as a continuous process.
Why it is important: Criminals never sleep. Ongoing security is crucial to
protect payment data.
• Clearly assigned roles and responsibilities for each requirement.
• Added guidance to help people better understand how to implement and maintain
• New reporting option to highlight areas for improvement and provide more
transparency for report reviewers.
Increase flexibility for organizations using different methods to
achieve security objectives.
Why it is important: Increased flexibility allows more options to achieve a
requirement’s objective and supports payment technology innovation.
• Allowance of group, shared, and generic accounts.
• Targeted risk analyses empower organizations to establish frequencies for
performing certain activities.
• Customized approach, a new method to implement and validate PCI DSS
requirements, provides another option for organizations using innovative methods to
achieve security objectives.
Enhance validation methods and procedures.
Why it is important: Clear validation and reporting options support
transparency and granularity.
• Increased alignment between information reported in a Report on Compliance or
Self-Assessment Questionnaire and information summarized in an Attestation of
There is an image from PCI standards website as well – but I think I will summarize and try to distill the PCI 4.0 versus 3.2.1
the four headings are about:
- Security improvements – multi-factor Authentication, updated password requirements and new e-commerce and phishing requirements
- Continuous improvement
- Flexibility in the standard to take into account some organizational characteristics.
- Enhance Validation
Even though this is a major upgrade (previous version is 3.x new version is 4.0) This is a clean-up and upgrade edition. If you were not doing these things in a normal manner like continuous improvements, then you should get started.
First PCI 4.0 requires 2FA (Two Factor Authentication), updated password requirements (longer passwords not necessarily more complex), and phishing requirements. Ecommerce got a little update as well (in case you are running your own Ecommerce website).
All items so far should be done in any case – all IT departments should be always updating and increasing security parameters. Password policies should not be an always unchanged item. One must have the Wherewithal to periodically re-evaluate and make changes.
That is how I look at PCI 4.0. it is a review of changes that one ought to be making anyway.
Sometimes as humans we are resistant to change – but continuous security improvements are a good thing and this is just a step on that road.
Contact Us to discuss