PCI DSS v4.0 Overview
Last updated: October 21, 2024
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all organizations that accept, process, store, or transmit credit card information maintains a secure environment. The PCI DSS standard was developed by the PCI DSS Council. The council is made up of credit card companies such as Visa, MasterCard, American Express, Discover, and JCB. PCI DSS version 3.2.1 was officially retired on March 31, 2024 and version 4.0 became the industry standard moving forward. On March 31, 2025 all version 4.0 requirements will become mandatory.
Note: On June 11, 2024 PCI DSS v4.0.1 was released. This latest release is a “limited revision of PCI DSS v4.0” which includes corrections for typographical and other minor errors. There are no new requirements, and no requirements have been added or removed. Additional information on the summary of changes can be found in the References section at the end of this document.
PCI-DSS has 12 main requirements and more than 300 sub-requirements. These 12 requirements are technical and operational. The requirements are organized into six control objectives, and cover areas such as network security, password management, data protection, and access control.
PCI DSS v4.0.x has the following six control objectives:
-
Build and Maintain a Secure Network and Systems
-
Protect Account Data
-
Maintain a Vulnerability Management Program
-
Implement Strong Access Control Measures
-
Regularly Monitor and Test Networks
-
Maintain an Information Security Policy
Compliance with PCI DSS is required for any organization that stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This requirement includes all entities involved in payment processing – merchants, processors, acquirers, issuers, and other service providers. Cardholder data and sensitive authentication data are defined as:
Cardholder Data | Sensitive Authentication Data |
---|---|
Primary Account Number (PAN) | Full track data (magnetic stripe data or chip equivalent on a chip) |
Cardholder Name | Card verification code |
Expiration Date |
PINs/PIN blocks |
Service Code |
Depending on the number of transactions an organization processes annually and the specific payment brand involved, there are four different levels of compliance validation requirements, commonly known as classifications:
-
PCI Level 1 - Businesses processing over 6 million transactions annually
-
PCI Level 2 - Businesses processing 1 to 6 million transactions annually
-
PCI Level 3 - Businesses processing 20,000 to 1 million transactions annually
-
PCI Level 4 - Businesses processing less than 20,000 transactions annually
Currently, PCI Level 1 requires an annual report be conducted by a Qualified Security Assessor (QSA), or an Internal Security Assessor (ISA). A QSA will typically visit the organization to conduct an audit, while the ISA can be a member of the organization, who is properly trained to conduct an assessment, and act as a liaison to external auditors. PCI Level 1 is the strictest of all classifications. Any organization, regardless of classification, is subject to an external audit, even if the organization is not a PCI Level 1 merchant.
In addition, all PCI Level merchants also require the following:
-
Vulnerability Scanning to be completed Quarterly. Tenable’s PCI ASV (Approved Scanning Vendor) streamlines the quarterly external vulnerability scan submission and dispute process as required by PCI 11.3.2. With pre-configured scan templates and an efficient evidence/dispute resolution process, Tenable can quickly prepare an Attestation of Scan Compliance (AOSC) for merchants and service providers.
-
Annual or Semi-annual Penetration Test, as required by PCI 11.4.3, depending on the organizational PCI requirements (Note: Not required for PCI Level 3 or PCI Level 4 Merchants, however these organizations would benefit from conducting a penetration test, as least annually)
-
Completion of a Self-Assessment Questionnaire (SAQ). Note: There are different types of SAQ depending on the scope of the audit. See PCI DSS documentation for more information.
-
Completion of an Attestation of Compliance (AOC). This form states you have complied with the required standards to satisfy PCI DSS requirements.
-
PCI Requirement 11.3.1 makes vulnerability scanning mandatory at least once every three months, and recommends more frequent scanning depending on network complexity.
Organizations can best determine their level of PCI compliance by coordinating with their service provider.
Failure to comply with PCI DSS can result in fines imposed by credit card companies, restriction or limitations on processing payments, and reputational damage arising from security breaches. Therefore organizations handling credit card information are strongly encouraged to adhere to PCI DSS standards to protect cardholder data and maintain trust with their customers.