PCI DSS Version 4.0 Requirements and Security Controls
PCI DSS Version 4.0 Deadline: March 31, 2025
Payment Card Industry Data Security Standard, version 4.0 (i.e., PCI DSS v.4.0), is effective March 31, 2025. Organizations intending to remain in compliance with Payment Card Industry credit card data protection requirements must be transitioned to the new PCI Data Security Standard, version 4.0 by this date.
Atomicorp’s Atomic OSSEC provides an extended detection and response (XDR) and PCI DSS compliance solution that meets the standard’s evolving security control requirements in system and file integrity, malware detection, vulnerability management, web application security, access control, and overall cardholder data environment (CDE) protection.
PCI DSS Version 4.0: What Are the New Requirements?
Much of expiring PCI DSS 3.2.1 is still applicable in PCI DSS 4.0, but additional control requirements are:
- Application of secure configuration and network security controls beyond software vendor security defaults, such as longer password enforcement and MFA, as laid out in requirements 2.2 and 2.3.
- Stiffer controls to prevent the compromise of sensitive authentication data (SAD) and primary account numbers (PAN), which are sprinkled throughout requirement 3. These new PAN and SAD-specific security requirements demand hardened security over forms and other files.
- The encryption of PAN data during transmission in requirement 4.2.1, and the management of trusted keys and certificates per 4.2.1.1.
- Amendments to requirement 5 that largely replace the previous “antivirus” term with “anti-malware,” urging organizations to protect against a larger and broader category of malware including worms, trojan horses, and phishing attacks (5.4.1), and on lower-risk systems (5.2.3.1), via scanning and detection. Requirement 5 also stipulates a vulnerability management program, but this is an existing requirement.
- Controls for protection from web attacks. A web application firewall (WAF) is part of existing PCI DSS 3.2.1’s requirements (see 6.6). PCI DSS 4.0 will require this web protection to monitor software, cloud and web infrastructure access points, and the software code you use (6.4.2).
- Controls restricting access to cardholder data by business need-to-know. PCI DSS 4.0 calls for additional access controls including review of accounts and access privileges (7.2.4 and 7.2.5.1).
- Additional security protocols, including multi-step, multi-factor authentication (MFA), and greater authentication password complexity, specified in requirements 8.2, 8.3, and 8.4.
- A requirement (9.5.1.2.1) governing periodic point of interaction (POI) device inspections, where security software and automation can help.
- Use of automation to perform audit log reviews, in 10.4.1.1, and a risk assessment of where log review in the organization might need to be more frequent (10.4.2.1).
- A requirement for non-service providers (10.7.3) to be able to respond promptly to security control failures. (This was already required of service providers.)
- Wider vulnerability management. Non-critical, non-high-risk vulnerabilities discovered during internal scans must be managed per 11.3.1.1.
- Internal vulnerability scans of applicable devices through authenticated scanning (11.3.1.2), as part of penetration testing.
- A method to detect unauthorized changes or tampering of customer payment pages. This involves hardening security on HTTP headers and payment page content (11.6.1).
- PCI DSS 4.0 also lays out new requirements such as 12.3.4, which calls for a review at least once every 12 months of the hardware and software technologies in use.
- Other requirements that apply to ‘service providers only’ and demand even greater vigilance, transparency, and defense against sophisticated attacks.
Atomic OSSEC for PCI DSS Compliance
Explore the more than 100 PCI DSS requirements that can be met with the aid of Atomicorp tools and professional support experience:
- AV, malware detection, network security. Install and maintain a firewall configuration and network security controls to protect cardholder data. Orchestrate AV, antimalware and advanced intrusion detection to servers and CDE endpoints.
- Vulnerability scanning and resolution. Maintain a vulnerability management program – i.e., regularly update anti-virus and anti-malware protections, identify CVEs, and maintain secure applications.
- FIM and continuous monitoring. Protect the storage and transmission of cardholder data, including PANs and SAD, through preventive controls and file detection, protection and redaction capabilities.
- Secure access control. Implement strong access control measures and – i.e., least privilege engineering and configuration support; restrict access to cardholder data and authorized users. Identify, monitor and track all access to network resources and cardholder data; routinely test processes and systems.
- Audit controls. Monitor SIEM log, determine the who, what, where, and when of changes to systems, logs, files and code, and be able to report and prove compliance. Guard against internet-based intrusions and employee theft of data.
- Web application security. Address PCI DSS web application firewall (WAF) security controls on websites, web content platforms, intermediary servers, and more.
- Air gapping. While PCI DSS does not ask specifically for air gapping, it does suggest the use of air gaps to segregate cardholder data from unauthorized access and use.
- Reporting. Benchmark and report PCI DSS compliance via an intuitive management GUI and console.
Learn more about how intrusion prevention, advanced file integrity monitoring (FIM), vulnerability management, and system and file protection in Atomic OSSEC can help you to protect evolving cardholder data environments as required by PCI DSS.
Get an Atomic OSSEC PCI DSS compliance demo.
Start a free 14-day trial period using Atomic OSSEC detection, protection, and compliance.
Visit the Atomicorp PCI compliance page.