Home » Preparing for PCI DSS Version 4

Publication date: June 7, 2024

Preparing for PCI DSS Version 4

Share this content

Written by Elevate

The Payment Card Industry Data Security Standard (PCI DSS) and other associated Payment Card Industry Security Standards are detailed security protocols that exist to protect cardholders and secure payment transactions. 

These protocols are overseen by the Payment Card Industry Security Standards Council (PCI SSC), a diverse global body, that develops, maintains, and manages the standards for the protection of payment data.  

The Purpose of PCI Security Standards 

The primary purpose of the PCI DSS and the library of PCI Security Standards are to provide essential frameworks and methodologies for protecting cardholder data and ensuring the secure handling of credit card information by merchants and service providers. Cardholder data consists of the primary account number (PAN), cardholder name, expiration date and service code, along with any sensitive authentication data such as full track data, PINs and card verification codes (e.g., CVV2, CVC2),  

  • Entities that Store, Process, or Transmit Cardholder Data: Any organization handling payment card data must adhere to these standards to minimize data protection risks and reduce the risk of breaches.
  • Entities Accepting or Processing Payment Transactions: This includes merchants, payment processors, acquirers, and issuers who are involved in the lifecycle of payment transactions.
  • Developers and Manufacturers of Software and Devices: Companies that create and provide the software and hardware used in payment transactions must also comply with PCI standards. Examples include payment application developers, point-of-sale (POS) system manufacturers, and procedures of hardware security modules (HSMs).

Demonstrating the Breadth of PCI Standards

To address the various needs of organizations maintaining payment ecosystems the PCI SSC has developed, and continues to maintain, many standards that provide additional detail supplemental to the PCI DSS. The following are select examples of these standards as a reference to the holistic nature of the PCI SSC’s approach.

Table 1- PCI Standards 

Title  Description  Example 
Payment Card Industry Data Security Standard (PCI DSS) The core standard provides a set of requirements to protect cardholder data during processing, transmission, and storage. An example may be a retailer that must comply with the DSS to secure credit card information stored in their databases and processed during transactions 
Point-to-Point Encryption (P2PE) Standards for encrypting card data from the point of interaction to the secure decryption endpoint, reducing the risk of data breaches. A payment terminal at a retail store encrypts card data immediately upon swipe, which is then decrypted only at a secure endpoint. 
PIN Transaction Security Point of Interaction (PTS POI) Standards for protecting cardholder data at the point of interaction, including ATMs and point-of-sale (POS) devices. A manufacturer of ATMs adheres to PTS POI standards to protect cardholder data during ATM transactions. 
Secure Software Lifecycle (Secure SLC) Guidelines for developing and maintaining secure software applications used in payment processing.  A software development company follows Secure SLC standards to facilitate security in their payment application from inception through updates. 
Token Service Provider (TSP) Standards for entities providing tokenization to replace sensitive card data with a token thereby enhancing security and data protection. An online payment processor uses tokenization to replace actual card numbers with tokens during online transactions. 
Payment Card Industry 3D Secure (PCI 3DS) Core Security Standard Standards for secure online transactions using the 3D Secure protocol to authenticate cardholders, enhancing the security of e-commerce transactions by adding an additional layer of verification.  An e-commerce platform implements 3D Secure to authenticate customers during online purchases, reducing the risk of fraud by requiring additional cardholder verification, such as a password or biometric check. 
Contactless Payments on Commercial Off-the-Shel (CPoC) Devices Guidelines for securing contactless payments using commercial devices like smartphones and tablets.  A small business uses a smartphone app to accept contactless payments, following CPoC guidelines for security. 
PIN Transaction Security Hardware Security Module (PTS HSM) Standards for secure hardware modules used in cryptographic processes within payment systems.  A bank uses PTS HSMs to securely generate and manage cryptographic keys used in PIN verification processes. 

The PCI SSC continues to develop new and evolve existing standards to adapt to industry changes and innovations. There are many other important standards, however the key standard when considering PCI implementation remains the PCI DSS. 

What is PCI DSS

The PCI DSS was established to promote the security of card payments and card account data. The goal is to drive the adoption and implementation of consistent data security practices worldwide. It is managed and promoted by major card brands such as Visa, MasterCard, Discover Financial Services, JCB International and American Express.  

PCI DSS Compliance and Compliance Levels

To effectively implement the PCI DSS there are a couple of key areas to consider. These include:

  • Entities that Store, Process, or Transmit Cardholder Data: Any organization handling payment card data must adhere to these standards to minimize data protection risks or breaches
  • Entities Accepting or Processing Payment Transactions: This includes merchants, payment processors, acquirers, and issuers who are involved in the lifecycle of payment transactions.
  • Developers and Manufacturers of Software and Devices: Companies that create and provide the software and hardware used in payment transactions must also comply with PCI standards. Examples include payment applications, developers, point-of-sale (POS) system manufacturers, and procedures of hardware security modules (HSMs).

Demonstrating the Breadth of PCI Standards

To address the various needs of organizations maintaining payment ecosystems the PCI SSC has developed, and continues to maintain, many standards that provide additional detail supplemental to the PCI DSS.  The following are select examples of these standards as a reference to the holistic nature of the PCI SSC’s approach. 

  1. Table 1- PCI Standards 
Title  Description  Example 
Payment Card Industry Data Security Standard (PCI DSS) The core standard provides a set of requirements to protect cardholder data during processing, transmission, and storage. An example may be a retailer that must comply with the DSS to secure credit card information stored in their databases and processed during transactions 
Point-to-Point Encryption (P2PE) Standards for encrypting card data from the point of interaction to the secure decryption endpoint, reducing the risk of data breaches. A payment terminal at a retail store encrypts card data immediately upon swipe, which is then decrypted only at a secure endpoint. 
PIN Transaction Security Point of Interaction (PTS POI) Standards for protecting cardholder data at the point of interaction, including ATMs and point-of-sale (POS) devices. A manufacturer of ATMs adheres to PTS POI standards to protect cardholder data during ATM transactions. 
Secure Software Lifecycle (Secure SLC) Guidelines for developing and maintaining secure software applications used in payment processing.  A software development company follows Secure SLC standards to facilitate security in their payment application from inception through updates. 
Token Service Provider (TSP) Standards for entities providing tokenization to replace sensitive card data with a token thereby enhancing security and data protection. An online payment processor uses tokenization to replace actual card numbers with tokens during online transactions. 
Payment Card Industry 3D Secure (PCI 3DS) Core Security Standard Standards for secure online transactions using the 3D Secure protocol to authenticate cardholders, enhancing the security of e-commerce transactions by adding an additional layer of verification.  An e-commerce platform implements 3D Secure to authenticate customers during online purchases, reducing the risk of fraud by requiring additional cardholder verification, such as a password or biometric check. 
Contactless Payments on Commercial Off-the-Shel (CPoC) Devices Guidelines for securing contactless payments using commercial devices like smartphones and tablets.  A small business uses a smartphone app to accept contactless payments, following CPoC guidelines for security. 
PIN Transaction Security Hardware Security Module (PTS HSM) Standards for secure hardware modules used in cryptographic processes within payment systems.  A bank uses PTS HSMs to securely generate and manage cryptographic keys used in PIN verification processes. 

The PCI SSC continues to develop new standards and evolve existing ones to adapt to industry changes and innovations. While there are many other important standards, the key standard for PCI implementation remains the PCI DSS

What is PCI DSS

The PCI DSS was established to promote the security of card payments and card account data. The goal is to drive the adoption and implementation of consistent data security practices worldwide. It is managed and promoted by major card brands such as Visa, MasterCard, Discover Financial Services, JC International and American Express.

PCI DSS Compliance and Compliance Levels

To effectively implement the PCI DSS there are a couple of key areas to consider. These include:

  1. How the organization is involved with payment transactions.
  2. Whether the organization stores, processes, or transmits cardholder data.
  3. Which technical and business processes are tied to transaction-based activities.
  4. How many transactions in which the organization participates annually.

These items help an organization identify its PCI scope, one of the most important activities throughout the compliance lifecycle. As such, various types of organizations must achieve PCI compliance. This includes, but is not limited to, merchants, payment processors, financial institutions, and service providers that handle cardholder data.

To support these compliance efforts PCI is categorized into four merchant levels, determined by the annual volume of credit or debit card transactions, that help an organization focus on applicable requirements. The specific compliance level dictates the controls and measures an organization must implement to maintain compliance.

  1. Level 1: Merchants that process over 6 million card transactions per year across all channels. This level includes large-scale businesses with high transaction volumes.
    • To comply, businesses classified as level 1 must undergo an annual assessment by a Qualified Security Assessor (QSA) or internal auditor and complete quarterly network scans by an Approved Scanning Vendor (ASV).
  2. Level 2: This covers merchants that are processing 1 to 6 million transactions per year across all channels.
    • To comply, level 2 organizations must complete an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an ASV.
  3. Level 3: Merchants that handle 20,000 to 1 million digital and e-commerce transactions annually.
    • To Comply, covered entities must complete an annual SAQ and quarterly network scan by an Approved Scanning Vendor (ASV).
  4. Level 4: Merchants who are processing less than 20,000 e-commerce transactions per year.
    • To comply, they must complete an annual SAQ and conduct quarterly network scans by ASV.

PCI DSS Requirements

The PCI DSS consists of core requirements that are designed to build and maintain secure networks and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures and maintain an information security policy.

  1. Build and Maintain Secure Networks and Systems: Organizations must implement and maintain secure network configurations to protect cardholder data and facilitate the security of transactions.
  2. Protect Account Data: Organizations must minimize the storage of cardholder data, mask sensitive information, and use encryption to protect data during transmission and storage.
  3. Maintain a Vulnerability Management Program: Implement a systematic process designed to identify, assess, report on, manage, and remediate cybersecurity vulnerabilities across endpoints and systems.
  4. Implement Strong Access Control Measures: Organizations are to avoid using default passwords and implement strong access control measures such as unique IDs for each user and strong passwords. Businesses are discouraged from using default and simple passwords but are required to implement strong passwords to reduce the risk of unauthorized access or breaches.
  5. Regularly Monitor and Test Networks: Organizations are required to monitor and conduct regular audits of access logs and security events.
  6. Maintain an Information Security Policy: Organizations are required to implement and maintain information security policies and procedures, including regular training to for staff and employees to make sure they are aware of and adhere to security practices.

PCI DSS Version 4.0 Readiness

The Payment Card Industry Data Security Standard (PCI DSS) Version 4.0 is the latest update, which became mandatory on March 31, 2024. This latest version introduces new requirements, updated requirements, and an enhanced approach to compliance with the standard. This aims to ensure that the standards remain effective in safeguarding the payment ecosystem and adapting to new technologies and platforms. The following timeline graphics provide a high-level overview of the PCI DSS v4 implementation dates. As seen, there was a transition period from v3.2.1 to v4 to provide organizations time to adapt and change. Note that a select few requirements remain future-dated for Q1 2025 (e.g., extended at-rest encryption, anti-phishing protection, continual user account review.)

Figure 1 – PCI DSS v4.0 Timeline


Ensure PCI DSS Compliance with Version 4

The PCI DSS v4.0 was created to address the evolving security needs of the payment industry, incorporating feedback from global stakeholders and adapting to changes in technology and the threat landscape. Compliance with PCI DSS 4.0 remains crucial for organizations that handle cardholder data. As such, here are a few items we recommend for an organization to effectively move forward with PCI DSS v4.0:

  1. Understand the New Requirements and Changes: Put effort into becoming familiar with key updates in the latest version. Some of these updates include:
    • Increased Flexibility and Customization: Organizations now have the option to choose between a defined approach (traditional) and a customized approach. The customized approach allows organizations more flexibility in meeting security objectives with their own controls.
    • Enhanced Security Requirements: Several requirements were updated to address evolving threats. This includes changes to authentication (e.g., multi-factor authentication, shared and generic accounts, password requirements), cryptographic controls, and network security.
    • Focus on Risk Management: PCI DSS v4.0 places greater emphasis on risk management, requiring organizations to identify, assess, and manage risks that are specific to their environment.
    • Improved Guidance and Clarity: The guidance provided as part of the standard has been expanded to help organizations understand the requirements and how to implement them. This includes more detailed explanations and examples.
  2. Review the PCI DSS 4.0 Documentation: Take the time to review the PCI DSS v4.0 documentation thoroughly to understand the requirements and implications for your organization.
    • Consider attending training sessions, webinars, and workshops offered by accredited organizations to understand the nuances of the new requirements.
  3. Determine or Reasses PCI Scope: Scoping the organization’s PCI environment remains a crucial step for compliance. We recommend:
    • Identifying cardholder data flows that demonstrate where such data is stored, processed, or transmitted within the organization.
    • Define the cardholder data environment (CDE) so relevant systems and networks are included in the scope.
    • Review network segmentation practices and the effectiveness of isolating the CRD from non-sensitive environments to reduce scope.
    • Involve stakeholders from IT, security, and business units early to validate the identified scope and validate sufficient coverage.
  4. Perform a Gap Analysis: Conducting a comprehensive gap analysis is crucial to determine your organization’s current compliance status and identify areas for improvement. It may be useful to compare current PCI v3.2.1 compliance status with the new v.4.0 requirements
  5. Develop a Transition Plan: Develop a detailed project plan outlining the steps to transition to PCI DSS v4.0. This may include timelines, milestones, specific tasks and responsible individuals or groups.  
  6. Update Policies and Procedures: Review and update your organization’s policies and procedures to align with the new requirements of PCI DSS Version 4.0. This includes updating incident response plans, access control policies, and data protection protocols. 
  7. Implement New Security Controls: Implement or upgrade security technologies, solutions, or tools as required to meet the new standards such as enhanced authentication mechanisms, encryption, and continuous monitoring. This may also include strengthening existing controls to meet updated requirements (e.g., multi-factor authentication or vulnerability management procedures).  
  8. Conduct Training and Awareness: Conduct training sessions for employees to make sure they understand their roles in maintaining PCI DSS compliance. This also includes security awareness programs to keep personnel informed about security practices.  
  9. Performa Regular Assessments: Conduct regular internal assessments to verify compliance with PCI DSS v.4.0 (e.g., readiness assessment). It may be helpful to engage third-party experts to support both remediation items above as well as assessment activities. This helps promote an impartial, expert perspective.  
  10. Engage with Quality Assessors: Work with Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) to conduct schedule assessments and vulnerability scans. 
  11. Monitor and Test Continuously: Establish a process for continuous monitoring and testing of your security environment to support ongoing compliance with PCI DSS Version 4.0. Regularly assess and update your security measures to address emerging threats and vulnerabilities. 

These best practices and key action items will certainly support your organization on it’s path to PCI DSS v.4.0 compliance. Achieving and maintaining compliance can be a complex, time-consuming, and challenging effort. For this reason, we recommend taking full advantage of expert resources for success. 

At Elevate we specialize in helping organizations navigate the intricacies of PCI DSS compliance and implementing best practices to enhance security posture to an appropriate level for compliance. Compliance is an ongoing process, and we provide support throughout the compliance lifecycle (e.g., remediation, readiness assessment, external audit support). For any questions, please reach out to speak with one of our PCI compliance experts. 

Related posts

Contact Us
(888) 601-5351

Office Hours
9am – 5pm EST

Skip to content