Any company that processes payments knows the pain of an audit under the Payment Card Industry Data Security Standard (PCI DSS). Although the original PCI DSS had gone through various updates, the Payment Card Industry Security Standards Council (PCI SSC) took feedback from the global payments industry to address evolving security needs. The March 2022 release of PCI DSS 4.0 incorporated changes that intend to promote security as an iterative process while ensuring continued flexibility so that organizations could achieve security objectives based on their needs.
To give companies time to address new requirements, audits will begin incorporating the majority of the new changes beginning March 31, 2025. However, some issues will be included in audits beginning immediately.
Why did the Payment Card Industry Security Standards Council (PCI SSC) update the standard?
At a high level, PCI DSS 4.0 responds to changes in IT infrastructures arising from digital transformation and Software-as-a-Service (SaaS) applications. According to PCI SSC’s press release, changes will enhance validation methods and procedures.
When considering PCI DSS 4.0 scope, organizations need to implement controls around the following types of account data:
- Cardholder Data: Primary Account Number (PAN), Cardholder Name, Expiration Date, Service Code
- Sensitive Authentication Data (SAD): Full track data (magnetic stripe or chip equivalent), card verification code, Personal Identification Numbers (PINs)/PIN blocks.
To get a sense of how the PCI SSC shifted focus when drafting PCI DSS 4.0, you can take a look at how the organization renamed some of the Requirements:
| PCI Categories | PCI 3.2.1 | PCI 4.0 |
| Build and Maintain a Secure Network and Systems |
|
|
| Protect Cardholder Data
(Updated to Protect Account Data in 4.0) |
|
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
|
| Maintain a Vulnerability Management Program |
|
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software |
| Implement Strong Access Control Measures |
|
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
|
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly |
| Maintain an Information Security Policy |
|
12. Support information security with organizational policies and programs |
While PCI SSC expanded the requirements to address larger security and privacy issues, many of them remain fundamentally the same as before. According to the Summary of Changes, most updates fall into one of the following categories:
- Evolving requirement: changes that align with emerging threats and technologies or changes in the industry
- Clarification or guidance: updated wording, explanation, definition, additional guidance, and/or instruction to improve people’s understanding
- Structure or format: content reorganization, like combining, separating, or renumbering requirements
For organizations that have previously met PCI DSS compliance objectives, those changes place little additional burden.
However, PCI DSS 4.0 does include changes to Requirements that organizations should consider.
What new Requirements are immediately in effect for all entities?
While additions are effective beginning March 31, 2025, three primary issues affect current PCI audits.
Holistically, PCI DSS now includes the following sub requirement across Requirements 2 through 11:
Roles and responsibilities for performing activities for Requirement are documented, assigned, and understood.
Additionally, under Requirement 12, all entities should be:
- Performing a targeted risk analysis for each PCI DSS requirement according to the documented, customized approach
- Documenting and confirming PCI DSS scope every 12 months
What updates are effective March 31, 2025 for all entities?
As the effective date for all requirements draws closer, organizations should consider the major changes that impact their business, security, and privacy operations.
Requirement 3
PCI DSS 4.0 incorporates the following new requirements:
- Minimizing the SAD stored prior to completion and retaining it according to data retention and disposal policies, procedures and processes
- Encrypting all SAD stored electronically
- Implementing technical controls to prevent copying/relocating PAN when using remote-access technologies unless requiring explicit authorization
- Rendering PAN unreadable with keyed cryptographic hashes unless requiring explicit authorization
- Implementing disk-level or partition-level encryption to make PAN unreadable
Requirement 4
PCI DSS 4.0 incorporates the following new requirements:
- Confirming that certificates safeguarding PAN during transmission across open, public networks are valid, not expired or revoked
- Maintaining an inventory of trusted keys and certificates
Requirement 5
PCI DSS 4.0 incorporates the following new requirements:
- Performing a targeted risk analysis to determine how often the organization evaluates whether system components pose a malware risk
- Performing targeted risk analysis to determine how often to scan for malware
- Performing anti-malware scans when using removable electronic media
- Implementing phishing attack detection and protection mechanisms
Requirement 6
PCI DSS 4.0 incorporates the following new requirements:
- Maintaining an inventory of bespoke and custom software for vulnerability and patch management purposes
- Deploying automated technologies for public-facing web applications to continuously detect and prevent web-based attacks
- Managing payment page scripts loaded and executed in consumers’ browsers
Requirement 7
PCI DSS 4.0 incorporates the following new requirements:
- Reviewing all user accounts and related access privileges
- Assigning and managing all application and system accounts and related access privileges
- Reviewing all application and system accounts and their access privileges
Requirement 8
PCI DSS 4.0 incorporates the following new requirements:
- Implementing a minimum complexity level for passwords used as an authentication factor
- Implementing multi-factor authentication (MFA) for all CDE access
- Ensuring MFA implemented appropriately
- Managing interactive login for system or application accounts
- Using passwords/passphrases for application and system accounts
- Protecting passwords/passphrases for application and system accounts against misuse
Requirement 9
PCI DSS 4.0 incorporates the following new requirements:
- Performing targeted risk analysis to determine how often POI devices should be inspected
Requirement 10
PCI DSS 4.0 incorporates the following new requirements:
- Automating the review of audit logs
- Performing a targeted risk analysis to determine how often to review system and component logs
- Detecting, receiving alerts for, and addressing critical security control system failures
- Promptly responding to critical security control system failures
Requirement 11
PCI DSS 4.0 incorporates the following new requirements:
- Managing vulnerabilities not ranked as high-risk or critical
- Performing internal vulnerability scans using authenticated scanning
- Deploying a change-and-tamper-detection mechanism for payment pages
Requirement 12
PCI DSS 4.0 incorporates the following new requirements:
- Documenting the targeted risk analysis that identifies how often to perform it so it supports each PCI DSS Requirement
- Documenting and reviewing cryptographic cypher suites and protocols
- Reviewing hardware and software
- Reviewing security awareness program at least once every 12 months and updating as necessary
- Including in training threats to CD, like phishing and related attacks and social engineering
- Including acceptable technology use in training
- Performing targeted risk analysis to determine how often to provide training
- Including in incident response plan the alerts from change-and-tamper detection mechanism for payment pages
- Implementing incident response procedures and initiating them upon PAN detection
What updates are applicable to service providers only?
In some cases, new Requirements apply only to issuers and companies supporting those issuing services and storing sensitive authentication data. Only one of these immediately went into effect, the update to Requirement 12:
- TPSPs support customers’ requests for PCI DSS compliance status and information about the requirements for which they are responsible
Effective March 31, 2025
Service providers should be aware of the following updates:
- Requirement 3:
- Encrypting SAD
- Documenting the cryptographic architecture that prevents people from using cryptographic keys in production and test environments
- Requirement 8
- Requiring customers to change passwords at least every 90 days or dynamically assessing security posture when not using additional authentication factors
- Requirement 11
- Multi-tenant service providers supporting customers for external penetration testing
- Detecting, receiving alerts for, preventing, and addressing covert malware communication channels using intrusion detection and/or intrusion prevention techniques
- Requirement 12
- Documenting and confirming PCI DSS scope every 6 months or upon significant changes
- Documenting, reviewing, and communicating to executive management the impact that significant organizational changes have on PCI DSS scope
Graylog Security and API Security: Monitoring, Detection, and Incident Response for PCI DSS 4.0
Graylog Security provides the SIEM capabilities organizations need to implement Threat Detection and Incident Response (TDIR) activities and compliance reporting. Graylog Security’s security analytics and anomaly detection functionalities enable you to aggregate, normalize, correlate, and analyze activities across a complex environment for visibility into and high-fidelity alerts for critical security monitoring and compliance issues like:
- Access monitoring, including malicious and accidental insider threats
- Network monitoring
- Endpoint security
- Application security
- Physical security
- Security misconfigurations
By incorporating Graylog API Security into your PCI DSS monitoring and incident response planning, you enhance your security and compliance program by mitigating risks and detecting incidents associated with Application Programming Interfaces (APIs). With Graylog’s end-to-end API threat monitoring, detection, and response solution, you can augment the outside-in monitoring from Web Application Firewalls (WAF) and API gateways with API discovery, request and response capture, automated risk assessment, and actionable remediation activities.
