PCI 4.0 – Let the fun begin
Posted by: Carla Brinker
You’ve put it off, ignored it, or just been busy. Whatever the case, PCI version 4.0 is a reality as of April 1, 2024. If you haven’t started preparing, here is a bit about the “must-dos” for 2024. There’s another list for 2025, but I’ll save that list for another day.
First off, each of the 12 top-level requirements has a “roles and responsibilities” requirement for documenting who is responsible for each requirement. This might be an internal employee, or it might be a service provider, or it might be both. Either way, it’s critical you look at each requirement for each payment channel and make sure the requirement is assigned to a responsible party, and that party understands their obligation. It’s best to assign the duties to a role – rather than a person’s name. This makes it easier to keep the documentation up-to-date.
A small change was made to break out the wireless vendor defaults. This was always a requirement, but now it’s crystal clear what is meant. When dealing with wireless, requirement 2.3.1 requires the defaults to be changed (SNMP defaults and default passwords). Requirement 2.3.2 requires that encryption keys be changed if someone who knew the key leaves or changes roles, or if the key is suspected to be compromised.
Requirement 12.5.2 is another “new” requirement that isn’t really new. Each assessed entity is required to do its own scoping exercise, and the QSA (Qualified Security Assessor) is only to confirm that exercise. Expect the documentation from this exercise to be an item on the evidence request list that your assessor asks for before kicking off the engagement.
Requirement 12.9.2 is a welcomed addition. Again, it’s nothing new, but more of a clarification. It ties in with the roles and responsibilities requirements that were added to each of the 12 top-level requirements in 4.0. Each service provider is expected to support every assessed entity by responding to the assessed entity’s annual review questions regarding that third-party service provider and the third-party service provider is to provide a list of all PCI requirements they will fulfill on the assessed entity’s behalf. This list would also include any requirements that are a shared responsibility between the third-party service provider and the assessed entity. This is a formal document, not just a verbal agreement. It might be included in the contract or it might be a separate document. Either way, the third-party service provider must have and/or provide a clear understanding of their responsibilities as understood by the assessed entity.
So there you have it… not much of a change for 2024 for PCI DSS 4.0. The list for 2025 is much longer and requires additional work. If you have been ignoring PCI DSS 4.0 so far, your additional work will be minimal for this year. That will not be the case for next year…see Dan Mengel’s previous blog post and search the DSS for the phrase “31 March 2025” to see what’s in store.
As always, please contact your GuidePoint Security Account Executive or [email protected] if we can assist you with your PCI program.
Carla Brinker
Principal Cybersecurity Consultant,
GuidePoint Security
Carla Brinker, Principal Cybersecurity Consultant at GuidePoint Security, began her career in the security industry in 2000. Her professional experience includes PCI assessments ranging from Fortune 25 companies to small companies, risk assessments, IT governance, oversight of new controls implementation, technical writing, and security education. She has both led and participated in assessments for industries such as banking, retail, ecommerce, and hospitality and has managed teams of consultants delivering information security services. Carla holds several industry certifications, including Certified Information Security Assessor (CISA), Certified Information Security Manager (CISM), and PCI Qualified Security Assessor (PCI QSA).