Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

PCI DSS 4.0: what changes have been made to the standard and how to use Hicomply to get up to speed

Since its inception in 2006, PCI DSS (Payment Card Industry Data Security Standard) has been a leading security standard for companies processing, storing and transmitting cardholder data securely. And as technologies continue to evolve, so too do the standard’s requirements.

The latest version of PCI DSS – version 4.0 – was released on 31st March 2022, with the previous version set to be retired at the end of March 2024.

As the latest iteration of payment card security protocol, PCI DSS 4.0 compliance is a necessity for businesses to maintain customer security, showing the world that your business takes data protection seriously.

But achieving PCI DSS 4.0 compliance takes work. Luckily, we’re here to help. Here’s everything you need to know about the changes to the data security standard, including how Hicomply clears the road to accreditation.

PCI DSS 4.0: what’s changed?

PCI DSS 4.0 features changes and updates both big and small. While these changes vary considerably, they can be categorised by their intent to meet four key objectives. These are:

  • Promoting security as a continuous process
  • Meeting the needs of the payment industry as it operates today
  • Enhancing payment validation procedures and methods
  • Adding new methods and flexibility to maintain payment security

We’ve taken a closer look at the key updated to PCI DSS below.

Customising PCI DSS

Arguably the most significant change to PCI DSS is the introduction of the customised approach: a brand new method of meeting requirements. This gives businesses the flexibility to meet security objectives using new tech and innovative controls, allowing them to meet PCI DSS requirements in a more tailored way.

Assessors validate that the customised controls meet PCI DSS requirements by reviewing key documentation, such as controls matric and targeted risk analysis, and developing a way to validate the controls.

Customised controls differ from compensation controls, which are required when an organisation is unable to meet a requirement due to a legitimate constraint. Meanwhile, customise control offer a flexible way to meet strict requirements.

Updating old requirements

Existing PCI DSS requirements have been updated in v4.0, offering major improvements.

These include additional authentication controls, such as strict multi-factor authentication when accessing cardholder data storage. There are also fresh requirements around group, shared, and generic accounts, and clearly defined roles needed for each requirement.

Updated password requirements also feature in v4.0, including the minimum password length requirement rising from 8 to 12 characters.

New requirements

As well as updating existing requirements, PCI DSS 4.0 also incorporates new requirements to prevent and detect new and ongoing threats against the payment industry.

These include new requirements designed to protect against phishing, e-commerce attacks, and e-skimming attacks (when a hacker insets malicious software into a retailer’s website).

Assessment report enhancements

Both the self-assessment questionnaire (SAQ) and the Report on Compliance (RoC) template receive enhancements in v4.0, helping guide organisations in self-attesting and assessors in documents results.

What do these changes mean for certified and non-certified organisations?

Both organisations who are already PCI DSS certified and those who are yet to achieve certification can expect to feel the effects of the v4.0 update. PCI certified businesses should review the changes in the official PCI DSS 4.0 document, taking note of what steps they need to take for the implementation of v4.0 at the end of March.

Likewise, those who’ve yet to achieve certification should switch their benchmark to reflect the requirements outlined in PCI DSS 4.0, rather than continuing with v3.2.1 in mind.

PCI DSS 4.0 compliance with Hicomply

Certification can feel like a huge hurdle, but Hicomply makes it simple, offering a one-stop solution for PCI DSS and other vital accreditations. With Hicomply’s ISMS, you can say goodbye to complex internal processes, accountability gaps, poor visibility, and endless spreadsheets.

From scoping documents to mitigating reports, Hicomply takes the headaches and hassle out of PCI DSS certification, dramatically reducing the time and resources needed. Get real-time updates of PCI DSS requirements, tailored to your organisation, with a single, simply platform that clears the road to v4.0 certification.

Not currently using Hicomply? Ready to find out more about what the platform can do for you? Book a demo.