Differences V321-V4

avatar
Created by
Patrick Forrest

Cards (92)

  • PCI DSS v3.2.1 will be retired, and PCI DSS v4.0 will be the only active version of the standard
    March 31, 2024
  • The transition period from March 2022 to March 31, 2024 is intended to provide organizations with time to familiarize themselves with the changes in PCI DSS v4.0, update their reporting templates and forms, and plan and implement changes to meet updated requirements
  • Assessors can undertake assessments using PCI DSS v4.0 or PCI DSS v3.2.1 after completing PCI DSS v4.0 training
  • PCI DSS v4.0 standard gives organizations more time to implement numerous new requirements
  • Objectives of PCI DSS v4.0
    • Security methods must develop as threats change to continue to fulfill the security needs of the payments industry
    • New requirements have been added with an ongoing understanding of security to promote security as a continuous process
    • Added new requirements to enable more options and support payment technology innovation to increase flexibility for organizations using different methods to achieve their security goals
    • Detailed verification and reporting options have been developed to improve verification methods and procedures
  • Before March 31, 2025, organizations are not required to meet new requirements identified as best practices in PCI DSS v4.0 fully
  • After March 31, 2025, these new requirements will apply, so these requirements should also be considered part of a PCI DSS assessment and fully met for PCI compliance
  • Requirement 1
    Updated the core requirement heading to reflect the focus on network security controls. "Firewalls" and "routers" have been replaced by "network security controls" to support a broader range of technologies used for security objectives traditionally met by firewalls
  • Requirement 1.1.2
    The requirement "Definition of groups, roles, and responsibilities for managing network components" has been replaced by the general requirement for roles and responsibilities in Requirement 1
  • Requirement 2
    The core requirements header has been updated to reflect a general focus on secure configurations, not just manufacturer-provided defaults
  • Requirement 2.1.2
    Added new requirement for roles and responsibilities regarding secure configurations
  • Requirement 3
    Added updated main requirement header to reflect the focus on account data
  • Requirement 3.1.2
    Added new requirement for roles and responsibilities regarding account data security
  • Requirement 3.2.1
    Added new requirement addressing SAD retained before completion of authorization through the implementation of data retention and destruction policies, procedures, and processes
  • Requirement 3.3.2
    Added a new requirement to encrypt electronically stored SAD before completion of authorization
  • Requirement 3.4.1
    Clarified that the PAN is masked when displayed so that only personnel in need of work can see more than the last four digits of the PAN
  • Requirement 3.4.2
    Added new requirement for technical controls to prevent copying and/or migration of PAN when using remote access technologies. Extended from Legacy Requirement 12.3.10
  • Requirement 3.5.1
    Removed pads from "Index tokens and pads" to make the PAN unreadable
  • Requirement 3.5.1.1
    Added new requirement for keyed cryptographic hashes when hashes are used to render the PAN unreadable
  • Requirement 3.5.1.2
    Added new requirement that disk-level or partition-level encryption be used only to render the PAN unreadable on removable electronic media, or if used on non-removable electronic media, the PAN should also be rendered unreadable via a mechanism that satisfies Requirement 3.5.1
  • Requirement 3.6.1.1
    Added a new requirement for service providers to include it in the documented description of the cryptographic architecture to prevent them from using the same cryptographic keys in live and test environments
  • Requirement 4
    Added an updated core requirement header to reflect a focus on "strong cryptography" to protect the transmission of cardholder data
  • Requirement 4.1.2
    Added new requirement for roles and responsibilities regarding the transmission of cardholder data
  • Requirement 4.2.1
    Added new requirement to verify that certificates used for PAN transmissions over open, public networks are valid and not expired or revoked
  • Requirement 4.2.1.1
    Added new requirement to keep an inventory of trusted keys and certificates
  • Requirement 5
    Added an updated core requirement header to reflect the focus on protecting all systems and networks from malware. "anti-virus" has been replaced by "anti-malware" to support a broader range of technologies used for security goals traditionally met by anti-virus software
  • Requirement 5.1.2
    Added new requirement for roles and responsibilities regarding anti-malware
  • Requirement 5.2.3.1
    Added a new requirement to define the frequency of periodic evaluations of system components that are not at risk for malware in targeted risk analysis
  • Requirement 5.3.2.1
    Added a new requirement to define the frequency of periodic malware scans in targeted risk analysis
  • Requirement 5.3.3
    Added new requirement for a malware solution for removable electronic media
  • Requirement 5.4.1
    Added new requirement to detect and protect staff from phishing attacks
  • Requirement 6
    Updated the core requirement header to include "software" instead of "applications." Clarified that Requirement 6 applies to all system components, except Requirement 6.2, which applies only to custom-developed software
  • Requirement 6.1.2
    Added new requirement for roles and responsibilities related to software development
  • Requirement 6.3.2
    Added new requirement to keep an inventory of custom-developed software
  • Requirement 6.4.2
    Added new requirement to deploy an automated technical solution for public web applications that continuously detects and prevents web-based attacks. This new requirement removes the option in Requirement 6.4.1 to inspect web applications through manual or automated application vulnerability assessment tools or methods
  • Requirement 6.4.3
    Added a new requirement for managing all checkout page scripts loaded and executed in the user's browser
  • Requirement 7
    Added updated main requirement header to include system components and cardholder data
  • Requirement 7.1.2
    A new article has been added to define duties and responsibilities regarding managing and reviewing accounts
  • Requirement 7.2.4
    Added a new requirement to review all user accounts and associated access privileges
  • Requirement 7.2.5
    Added new assignment and management requirements for all application and system accounts and associated access privileges