With evolving threats and new perspectives for effective cybersecurity and privacy practices, the PCI DSS standard has undergone significant changes that we will explore in this research.
Key Changes to PCI DSS 4.0 include:
1. Expanded Scope
While the previous version focused on controls within the card data environment (CDE), this version provides for the scope to be expanded to vendors and systems that are linked to the service regardless of whether they have card information. This includes new requirements for service providers, software developers and emerging technologies such as mobile payment applications and cloud environments. Ultimately the risk assessment may identify that critical service providers must also meet the requirements of the new regulation even if their participation in the architecture does not directly involve card information.
2. Enhanced Authentication
With the changes in the standard, the authentication criteria have been strengthened. In the previous version, we only needed to have a procedure in place for user authentication. However, the updated standard requires multi-factor authentication (MFA) for all non-console administrative access, which provides an additional layer of security to prevent unauthorized access. While this may have been included as a best practice in the past, it is now a mandatory requirement.
3. Emphasis on Penetration Testing
The standard change emphasizes penetration testing as an essential security measure. It requires organizations to conduct regular, comprehensive testing to identify vulnerabilities, assess potential risks and prioritize remediation efforts as part of a plan that must be approved and evaluated. This new effort is intended to improve responsiveness to potential attacks. In the case of multi-tenant providers, these providers must provide evidence to their customers that their infrastructure penetration tests have been successfully executed and make it easier for their customers to execute their own tests This control is applicable as of March 31, 2025. With the previous version, it was only necessary to provide evidence of planning and compliance with the plan once a year, with the current changes there is an increased level of maturity according to the risk of potential vulnerabilities.
4. Secure Software Development Lifecycle (SDLC)
Technological changes in infrastructures linked to the transition to cloud services, the adoption of container-based platforms, orchestration and microservices, and the implementation of development practices such as DevOps, have highlighted the need to adapt the PCI DSS standard to the new times in order to meet the challenges posed by emerging threats to payment card data.
In the case of secure development, on this occasion its scope is broadened to cover not only applications but software in general. In this line, it is clarified that the controls of this requirement apply to all system components. As for code review, it must be carried out in accordance with secure development guidelines, including reviews of existing and emerging vulnerabilities and application of corrections before being put into production. Many organizations are adjusting their Secure SDLC practices to ensure compliance.
5. Evolving Threats and Risk Management
Probably one of the most representative changes in the standard is the focus on thorough risk analysis. In this new version, a specific and targeted risk analysis is required to be performed exclusively on those PCI DSS controls where the entity is allowed to choose the related execution period and when the customized approach is used. It should also determine the rationale and frequency with which a control should be performed to minimize the likelihood of the identified threats materializing on the assets in its scope. Finally, this risk analysis must be reviewed every 12 months. This control is applicable as of March 31, 2025. The execution of the company’s global risk analysis (as required in the previous version of the PCI standard) has gone from being a requirement to being a recommendation.
How MAKINSIGHTS can help
At MAKINSIGHTS, we have seasoned professionals that have helped several organizations leverage PCI DSS as a cornerstone of their information security strategy while identifying key areas for improvement, prioritizing distinct service enhancement efforts, and developing a comprehensive plan for the future.
Our team of experts can assist your organization in understanding the changes to PCI DSS compliance and implement effective methods to embrace the new requirements.
Please feel welcome to book a consultation with us via ideas@makinsights.com or through calendly <https://calendly.com/makinsights/30min>.
