Are You Ready for PCI DSS v4.0?

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) comes into effect from 31 March 2024.  There are 63 new requirements with v4.0, some come into effect immediately, with the bulk coming into effect from 31 March 2025.

In this webinar, URM will focus on the more challenging requirements and how organisations should go about addressing them, including:

Multi-Factor Authentication (MFA)

MFA is nothing new to PCI DSS, but v4.0 now mandates that it must be used for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment (CDE). In this webinar URM will discuss the implications of the new MFA requirements including where you need to implement MFA and the security controls that MFA systems need to meet.

eCommerce Payment Page Scripts

If your organisation is involved in any form of eCommerce activities, changes to Requirements 6.4.3 and 11.6.1 are going to impact you.  With the former requirement, it is now stipulated that only necessary scripts may be executed on the payment page.  To ensure secure administration, all scripts must also be inventoried, authorised, and checked for integrity.  With the latter requirement, it is stipulated that measures need to be taken to detect unauthorised changes to the content or headers of the payment pages at least every seven days. URM will address the technical implications of these requirements as well as how they will impact merchants with e-commerce websites.

ASV Scans

Requirement 11.3.2 of PCI DSS v4.0 requires organisations that meet certain criteria to have external vulnerability scans performed by a PCI SSC (Security Standards Council) Approved Scanning Vendor (ASV) at least once every 90 days and after significant changes to their environment.  Whilst this requirement is not new to the PCI DSS and has not undergone any changes, the implementation of it has been changed, the 90-day time limit is now strictly enforced as opposed to simply being once per quarter.  URM will discuss the implications of this stricter time limit as well as explaining which types of merchants will need to perform ASV scans as the requirement has been expanded to cover more organisations than the previous version of the standard.

Other Changes

URM will also provide guidance on how to meet other changing requirements including:

• Ensuring your scope is properly documented
• Ensuring you are ready for the new evidence collection processes
• Addressing the increased focus on supply chain security and risk management
• Considering how remote assessment activities could affect your Report on Compliance (ROC)
• The customised validation approach.

This webinar is applicable to both organisations undertaking a self-assessment questionnaire (SAQ) or a QSA-led assessment.

‍

‍