Compliance

PCI DSS 4.0: What You Need to Know

December 20, 2024 9 min read ThinSky Team

PCI DSS 4.0 represents the most significant update to payment card security standards in over a decade. If your organization processes, stores, or transmits cardholder data, you need to understand these changes and prepare for compliance.

Key Timeline

March 2024

PCI DSS 3.2.1 officially retired. Organizations must validate against PCI DSS 4.0.

March 2025

All "future-dated" requirements become mandatory. Full compliance with 4.0 required.

Major Changes in PCI DSS 4.0

1. Customized Approach

PCI DSS 4.0 introduces a "customized approach" alongside the traditional "defined approach." This allows organizations to implement alternative controls that meet the security objective of a requirement, even if they don't follow the exact prescribed method.

What This Means

You have more flexibility in how you achieve compliance, but you must document and validate that your approach meets the underlying security intent.

2. Enhanced Authentication Requirements

Multi-factor authentication (MFA) requirements have been significantly expanded:

  • MFA required for all access to the cardholder data environment (CDE)
  • MFA for all non-console administrative access
  • Stronger password requirements: minimum 12 characters (up from 7)
  • Authentication factors must be independent

3. Targeted Risk Analysis

Organizations must now perform targeted risk analyses to determine the frequency of certain activities:

  • Log review frequency
  • Security awareness training frequency
  • Periodic re-evaluation of user access
  • POI (Point of Interaction) device inspection frequency

4. Enhanced Security Awareness Training

Security awareness programs must now include:

  • Threats from phishing and social engineering
  • Acceptable use of end-user technologies
  • Training upon hire AND at least once every 12 months

5. New Vulnerability Management Requirements

Significant updates to vulnerability scanning and management:

  • Internal vulnerability scans via authenticated scanning
  • Detection of all applicable vulnerabilities (not just high/critical)
  • Maintain inventory of bespoke and custom software
  • Web application security beyond just annual assessments

Meeting Requirements with Open-Source Tools

Wazuh for Log Management (Requirement 10)

Wazuh provides comprehensive log collection, analysis, and retention capabilities:

  • Centralized log collection from all system components
  • Real-time alerting on security events
  • Automated daily log review capabilities
  • Integrity monitoring of log files
  • Retention for the required 12 months

OpenVAS for Vulnerability Scanning (Requirement 11)

OpenVAS meets vulnerability scanning requirements:

  • Authenticated internal vulnerability scans
  • Comprehensive CVE coverage
  • Scheduled automated scanning
  • Detailed remediation guidance

Keycloak for Access Control (Requirements 7 & 8)

Keycloak provides robust identity and access management:

  • Role-based access control
  • Multi-factor authentication
  • Session management
  • Detailed access logging

Preparing for Compliance

Step 1: Gap Assessment

Conduct a thorough gap assessment against PCI DSS 4.0 requirements. Pay special attention to:

  • New authentication requirements
  • Enhanced encryption standards
  • Updated vulnerability management expectations
  • Expanded logging and monitoring requirements

Step 2: Risk Analysis Documentation

Document your targeted risk analyses for activities where frequency is now determined by risk assessment. Include:

  • Methodology used
  • Threats considered
  • Resulting frequency determination
  • Review and approval by management

Step 3: Tool Implementation

Deploy and configure tools to meet technical requirements. Ensure you have:

  • Centralized log management with alerting
  • Authenticated vulnerability scanning
  • MFA for all CDE access
  • File integrity monitoring
  • Web application firewall or equivalent protection

Step 4: Process Updates

Update your security processes and procedures:

  • Security awareness training program
  • Incident response procedures
  • Change management processes
  • Vendor management procedures

Common Challenges

"The shift to targeted risk analysis means organizations need to mature their risk management practices - you can't just follow a checklist anymore."

Organizations commonly struggle with:

  • Documented risk analyses - Many lack formal risk assessment processes
  • MFA expansion - Legacy systems may not support modern MFA
  • Authenticated scanning - Requires credential management and access
  • Script/API inventory - Tracking all payment page scripts is challenging

Need Help with PCI DSS 4.0 Compliance?

Our team specializes in helping organizations achieve PCI compliance with open-source tools.

Schedule a Consultation