PCI DSS 4.0 Requirements
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that provides a baseline of technical and operational requirements designated to protect payment data and reduce credit card fraud. PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
The new version of the standard was released on March 31, 2022. Changes from the previous version 3.2.1 include:
- Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website.
- What is PCI DSS?
- Who must comply with PCI DSS?
- When will PCI DSS 4.0 take effect?
- What common obstacles are associated with PCI DSS?
- What are the penalties for non-compliance with PCI DSS?
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent sensitive data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data and be a part of an overall information security policy.
Who must comply with PCI DSS?
When will PCI DSS 4.0 take effect?
What common obstacles are associated with PCI DSS?
What are the penalties for non-compliance with PCI DSS?
Compliance with the Payment Card Industry Data Security Standard 4.0 (PCI DSS)
Learn about compliance with PCI DSS 4.0, the latest update to the Payment Card Industry Data Security Standard, and how Thales can help secure cardholder data across hybrid IT environments.
How Thales Helps with PCI DSS Compliance
Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales offers integrated products and services that enable your organization to protect stored cardholder data, encrypt it for transfer, restrict access on a need-to-know basis and protect applications managing payment transactions. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your PCI DSS compliance burden.
Addressing PCI DSS 4.0 Compliance Requirements
- Requirement 2: Apply secure configurations to all system components.
- Requirement 3: Protect stored account data.
- Requirement 4: Protect cardholder data with strong cryptography during transmission.
- Requirement 6: Develop and maintain secure systems and software.
- Requirement 7: Restrict access to system components and cardholder data by need to know.
- Requirement 8. Identify users and authenticate access to system components.
- Requirement 9: Restrict physical access to cardholder data.
- Requirement 10: Log and monitor all access to system components and cardholder data.
- Requirement 11 Test security of systems and networks regularly.
- Requirement 12: Support information security with organizational policies and programs.
How Thales helps:
- Discover, analyze and prioritize vulnerabilities.
- Multi-Tenancy and separation of duties.
- Encrypted Non-console administrative access.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.