PCI DSS 4.0 Changes

PCI DSS 4.0, the latest version of the Payment Card Industry Data Security Standard, marks a significant evolution in the standards set for the protection of cardholder data. This comprehensive update aims to address the ever-changing threat landscape, incorporating new technologies and methodologies for securing payment data. This blog post delves into the key aspects of PCI DSS 4.0, including its requirements, timeline, changes from the previous version, and specific guidelines regarding password and encryption standards. In this post, PAN is shorthand for Primary Account Number (aka Card Number).

PCI DSS 4.0 Timeline

The PCI Security Standards Council (PCI SSC) officially released PCI DSS 4.0 in March 2022. Organizations have been given a transition period to migrate from PCI DSS 3.2.1 to 4.0. The transition timeline allows for a phased approach, with full enforcement of the new standard expected by March 2025. This period is designed to give entities sufficient time to understand the new requirements, assess their current security posture, and implement necessary changes without rushing, thereby ensuring a smooth transition.

PCI DSS 4.0 Effective Date

The effective date for PCI DSS 4.0 was March 2022, with a transition period extending to March 2025. During this period, organizations are expected to migrate their compliance efforts from the previous version to the new standard, ensuring that they fully understand and implement the updated requirements.

PCI DSS 4.0 vs 3.2.1

Comparing PCI DSS 4.0 to its predecessor, 3.2.1, the latest version introduces significant enhancements in flexibility, security practices, and technological adoption. The shift towards a customized approach to compliance, stronger authentication requirements, and updated encryption standards highlight the PCI SSC's commitment to adapting the standard to the current threat environment and technological landscape.

PCI DSS 4.0 represents a major step forward in securing payment environments, acknowledging the need for flexibility in achieving security objectives while maintaining a high standard for protecting cardholder data. As organizations transition to this new standard, the emphasis on continuous security, adaptability, and robust control measures will play a critical role in safeguarding the payment ecosystem against emerging threats.

PCI DSS 4.0 Changes

Please see below summary of new requirements for PCI DSS 4.0

‍

‍

‍

‍

‍

New Requirement 3.4.2 (No PAN on Employee Laptops, Cloud Storage Drives, or any device)

Technical controls to prevent copy and/or relocation of PAN (Primary Account Number aka Card number) when using remote-access technologies except with explicit authorization.

Defined Approach Requirements

3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN (Primary Account Number aka Card number) for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.

Strac Endpoint & SaaS/Cloud DLP can achieve this new requirement by automatically scan and redact/block/delete sensitive PCI data in files (pdf, jpeg, png, images, docx, xlsx, screenshots). It has its Endpoint DLP: https://www.strac.io/endpoint-dlp and also SaaS/Cloud DLP integrations: https://www.strac.io/saas-dlp

Purpose

Relocation of PAN (Primary Account Number aka Card number) to unauthorized storage devices is a common way for this data to be obtained and used fraudulently. Methods to ensure that only those with explicit authorization and a legitimate business reason can copy or relocate PAN minimizes the risk of unauthorized persons gaining access to PAN.

Customized Approach Objective

PAN (Primary Account Number aka Card number) cannot be copied or relocated by unauthorized personnel using remote-access technologies.

Applicability Notes

Storing or relocating PAN (Primary Account Number aka Card number) onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS. A virtual desktop is an example of a remote-access technology. Storage devices include, but are not limited to, local hard drives, virtual drives, removable electronic media, network drives, and cloud storage.

New Requirement 3.5.1.1 (PAN unreadable on databases, files, logs, and everywhere)

Hashes used to render PAN (Primary Account Number aka Card number) unreadable are keyed cryptographic hashes of the entire PAN with associated key management processes and procedures.

Defined Approach Requirements

3.5.1.1 Hashes used to render PAN (Primary Account Number aka Card number) unreadable are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7.

Strac Endpoint & SaaS/Cloud DLP can achieve this new requirement by automatically redacting sensitive PCI data in files (pdf, jpeg, png, images, docx, xlsx, screenshots) by removing original PCI data and replacing it with a link to Strac Vault. It has its Endpoint DLP: https://www.strac.io/endpoint-dlp and also SaaS/Cloud DLP integrations: https://www.strac.io/saas-dlp

‍

‍

Purpose

Relocation of PAN (Primary Account Number aka Card number) to unauthorized storage devices is a common way for this data to be obtained and used fraudulently. Methods to ensure that only those with explicit authorization and a legitimate business reason can copy or relocate PAN minimizes the risk of unauthorized persons gaining access to PAN.

Customized Approach Objective

PAN (Primary Account Number aka Card number) cannot be copied or relocated by unauthorized personnel using remote-access technologies.

Applicability Notes

This requirement applies to PANs (Primary Account Number aka Card number) stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected. This requirement does not preclude the use of temporary files containing cleartext PAN while encrypting and decrypting PAN.

New Requirement: 12.10.7 (Prevent PAN data leaks by identification and remediation)

Incident response procedures are in place and initiated upon detection of PAN (Primary Account Number aka Card number).

Defined Approach Requirements

12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN (Primary Account Number aka Card number) anywhere it is not expected, and include:

• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.

• Identifying whether sensitive authentication data is stored with PAN.

• Determining where the account data came from and how it ended up where it was not expected.

• Remediating data leaks or process gaps that resulted in the account data being where it was not expected.

‍

Purpose

Having documented incident response procedures that are followed in the event that stored PAN is found anywhere it is not expected to be, helps to identify the necessary remediation actions and prevent future leaks.

Customized Approach Objective

Processes are in place to quickly respond, analyze, and address situations in the event that cleartext PAN is detected where it is not expected.

New Requirement: 12.5.1 and 12.5.2 (Confirm scope of CDE)

Purpose

Having documented incident response procedures that are followed in the event that stored PAN is found anywhere it is not expected to be, helps to identify the necessary remediation actions and prevent future leaks.

Good Practice

Critically evaluating all CDE and connected system components to determine the necessary coverage of PCI DSS.  A data discovery tool or methodology can be used to facilitate identifying all sources and locations of PAN, and to look for PAN that resides on systems and networks outside the currently defined CDE or in unexpected places within the defined CDE—for example, in an error log or memory dump file. This approach can help ensure that previously unknown locations of PAN are detected and that the PAN is either eliminated or properly secured.

How does Strac help you with PCI DSS 4.0 Changes?

For all the above new requirements,

1. No PAN on Employee Laptops, Cloud Storage Drives, or any device
2. PAN unreadable on databases, files, logs, and everywhere
3. Prevent PAN data leaks by identification and remediation
4. Discover PCI or payment data on any SaaS, Cloud, Endpoint device

Strac is a SaaS/Cloud DLP and Endpoint DLP solution that helps businesses stay PCI DSS compliant with its modern features:

• Real-time monitoring and instant notifications: Businesses stay on top of their security game with immediate alerts and continuous surveillance of any unauthorized actions or data transfers.
• Precision in identifying sensitive data: Through the use of advanced machine learning techniques, Strac significantly improves the accuracy of detecting sensitive information.
• Active search for sensitive data: By continually scanning for sensitive data, Strac ensures comprehensive security and management, crucial for pinpointing and securing vital data elements.
• Sophisticated removal of sensitive information: Strac's enhanced editing features prominently for omitting sensitive details in documents shared, thereby avoiding accidental data leaks.
• Protection of data during transfer: Strac safeguards data in transit by encrypting it as it moves through different networks, crucial for preventing unauthorized access.
• Detailed permission settings: The system provides in-depth access management, permitting only authorized personnel to view sensitive data, thus greatly reducing the likelihood of data breaches.
• Compatibility with various platforms: Strac's ability to integrate with numerous environments, including SaaS, Cloud, and endpoints like Zendesk, Slack, and Office 365, offers widespread protection and ensures security across all operational facets.