PCI DSS is a framework that serves as a baseline protection for consumers, helping to reduce fraud and data breaches throughout the entire payment process. In 2022, the framework released PCI DSS 4.0—updated from the previous version, PCI DSS 3.2.
Comparing PCI DSS 3.2 with 4.0—What’s Changed?
Major changes to the requirements include:
- Additional authentication controls, including strict multi-factor authentication (MFA) requirements when accessing the cardholder data environment;
- Updated password requirements, including increasing password length requirements from eight to 12 characters;
- Changing requirements around shared, group, and generic accounts;
- Clearly defined roles and responsibilities needed for each requirement; and,
- New requirements to prevent and detect ongoing threats against the payment industry, including phishing, e-commerce, and e-skimming attacks.
Focus on Security Outcomes
- PCI DSS 3.2: Primarily focuses on prescriptive security controls, offering detailed instructions on what organizations should do to remain compliant.
- PCI DSS 4.0: Emphasizes security outcomes, allowing businesses more flexibility in choosing the best security approaches for their environment.
Stronger Authentication Methods
- PCI DSS 3.2: Introduces MFA for personnel with non-console administrative access and all remote access to the cardholder data environment.
- PCI DSS 4.0: Expands on MFA by reinforcing the importance of secure authentication and recognizing the evolving landscape of authentication methods.
Continuous Security
- PCI DSS 3.2: Compliance is viewed from a point-in-time assessment.
- PCI DSS 4.0: Encourages continuous security and monitoring, highlighting that compliance is an ongoing process, not just an annual audit.
Additional Clarity on Encrypted Data
- PCI DSS 3.2: Addresses encrypted cardholder data but provides limited guidance on its management when the decryption keys are held separately.
- PCI DSS 4.0: Offers more precise guidance on managing encrypted data, emphasizing the importance of protecting it even if decryption capabilities are out of reach.
Greater Vendor Responsibility
- PCI DSS 3.2: Outlines requirements for service provider responsibilities.
- PCI DSS 4.0: Extends service provider responsibilities, encouraging vendors to maintain a documented description of cryptographic architecture and increasing oversight on change management processes.
Enhanced Focus on Cryptographic Architecture
- PCI DSS 3.2: Organizations must keep a list of weak or unacceptable cryptographic algorithms.
- PCI DSS 4.0: Urges organizations to maintain a documented description of the cryptographic architecture, offering a broader perspective on encryption, decryption, and key management processes.