Understanding the different PCI merchant levels is the first step to reducing the challenges they...
Upcoming Changes in PCI DSS 4.0: What SaaS Platforms Need to Know
The Payment Card Industry Data Security Standard (PCI DSS) is the global standard for ensuring the secure handling of credit card data. It’s designed to protect cardholder data from theft and misuse.
The upcoming release of PCI DSS 4.0, commonly referred to as PCI 4.0, marks the most significant update to the standard since its inception, with foundational changes to its 360 pages.
Based on the updates, companies such as software as a service (SaaS) platforms face unique challenges in achieving PCI DSS compliance. Learn more below.
What’s PCI 4.0?
PCI 4.0 is the latest version of the PCI DSS standard, which provides requirements for merchants and service providers that store, process, or transmit credit card information, or could otherwise impact the security of cardholder data.
The new version of the standard has rolled out and can be assessed against today, along with version 3.2.1. The previous version will be retired March 31, 2024, and only version 4.0 will be assessed against after that date.
PCI 4.0 Changes
There are several changes organizations will need to implement to comply with PCI 4.0, including:
- Administrative changes
- Documentation requirements
- Cardholder data protection
- Authenticated vulnerability scans
- Full disk encryption appropriateness
- Active malware scans
- Anti-phishing mechanisms
- Authentication parameters
- Critical security failures detection tools
- Tamper protection mechanisms
- Covert malware communication channels
The administrative changes in PCI 4.0 include updated self-assessment questionnaires (SAQs) and other changes not found in the requirements. One of the most significant changes is the compliance approach, which now includes the traditional defined approach and a customized approach.
Attestation of Compliance Modifications
The Attestation of Compliance (AOC) for merchants must now disclose all the requirements that weren’t applicable for the assessment and why the requirement was not applicable. This disclosure wasn’t required for merchants in the previous version, but is required for Merchant AOCs in PCI 4.0.
While this change doesn’t require any specific action from businesses, readers of the AOC will now have insight into the requirements not applicable for merchants.
The Customized Approach
The customized approach allows a mature organization to define its own controls that meet the objective of the traditional, defined approach.
For example, historically, the DSS required organizations to perform periodic anti-malware scans or implement a compensating control if there was a legitimate business or technical constraint to meet the intent of the periodic anti-malware scan requirement.
With the customized approach, an organization could potentially rely on enforcing only approved software that can be run as opposed to periodic malware scans to contribute to the customized objective of stopping malware.
This customized approach supports innovation in security practices, giving mature entities flexibility in showing they meet PCI requirements. An organization can implement either the defined or customized approach objective for each PCI DSS requirement. The customized approach, however, is only suitable for risk-mature companies.
First, the customized approach is only available for use by organizations having an external assessment that results in a Report on Compliance (ROC), not for organizations who are only required to fill in an SAQ.
Second, the organization must plan and complete a control matrix describing the alternative approaches to fulfilling the applicable requirements, testing must be performed on each customized control, and additional documentation justifying the alternative approaches will be necessary.
PCI 4.0 introduces several new documentation requirements that organizations—specifically SaaS platforms—need to maintain regularly.
This change will require organizations to review each new documentation requirement and take steps to satisfy them.
Copying of Cardholder Data
Organizations that store cardholder data will need to detect and prevent this data from being copied over remote sessions from the storage location to their endpoints.
This can be done using Data Loss Prevention (DLP) on a network, laptop, server, or by using remote sessions that prevent data from being copied, potentially using technologies like PCoIP.
PCI 4.0 defines remote access as “access to computer networks from a remote location. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.”
SaaS platforms must consider the impact of this requirement, as implementing technical measures can take time and money. Additionally, if a DLP product is chosen, it will need to be closely monitored and managed to ensure its effectiveness.
Authenticated Vulnerability Scans
Currently, unauthenticated vulnerability scans are allowed, which involve pointing a scanner at an IP and scanning whatever can be ascertained.
With PCI 4.0, organizations will be required to use authenticated scans if they’re supported by the scanned system component, which means the vulnerability scanner will need to provide login credentials to the devices being scanned.
While this change will result in more accurate vulnerability scan results, it also means there will be additional overhead to manage credentials.
As a SaaS platform, you’ll need to implement service accounts that can authenticate to scanned systems and manage those accounts in a PCI-compliant manner. Understand what the vulnerabilities will be so you can triage and address them in a scalable manner.
Full Disk Encryption Appropriateness
Under PCI 4.0, full disk encryption will only be allowed on removable media. This change means full disk encryption will not be allowed in data center or cloud environments, where the media isn’t removable. Instead, SaaS platforms will need to implement raw file encryption.
With a SaaS platform, it’s essential to be aware of this change as it will impact the way cloud companies provide encryption solutions. SaaS platforms will need to address these out-of-the-box encryption challenges and find encryption solutions that provide file or column level encryption.
Active Malware Scans
Under previous versions of PCI DSS, organizations were required to conduct periodic scans on components that required anti-malware solutions. PCI 4.0 will require periodic scans as well as active scans.
This change is intended to help ensure organizations can detect and respond to malware attacks in a timely manner. It may require additional configuration or potentially new anti-malware software if the current solution can’t perform active scans.
To satisfy this requirement, SaaS platforms should determine if their current anti-malware solution can perform active scans, or if they should explore alternative solutions.
PCI 4.0 will require SaaS platforms to implement anti-phishing mechanisms at the corporate level, not just in the cardholder data environment (CDE).
SaaS platforms will need to implement mechanisms such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), among other technologies, to detect and prevent phishing attacks.
SaaS platforms will need to confirm their email system can implement anti-phishing mechanisms and, if it can, implement the necessary mechanisms. Updates to the email system could result in changes in data handling procedures.
PCI 4.0 introduces significant changes to the authentication parameters required for compliance.
The previous version of PCI DSS required a password length of seven characters, but with the new version, the password length will be increased to 12 characters.
If 12 characters is not possible, a minimum length of eight characters will be required. Additionally, there will be changes to account lockouts. Previously, a lockout occurred after six attempts, but under PCI 4.0, a lockout must occur after 10 attempts.
The standard has historically required password changes every 90 days. Organizations will still be required to change passwords at 90 days or, alternatively, the security posture of accounts must be dynamically analyzed and real-time access to resources will be automatically determined.
This is a shift toward zero trust, where access to resources is continually analyzed and granted only when necessary. Additionally, multifactor authentication (MFA) will now be required to prevent replay and bypass attacks, and service account passwords will need to be periodically rotated.
Critical Security Failures Detection Tools
Under PCI 4.0, merchants will now need to join service providers in monitoring and responding to critical security control failures. This means entities must detect when a security control stops working as designed, and have a process in place to fix the issue.
Companies must identify the tools necessary to help monitor the security tools and implement processes to help detect critical security control failures. This can include implementing:
- Monitoring and alerting mechanisms for network security controls
- Intrusion detection systems/intrusion prevention systems (IDS/IPS)
- Change-detection mechanisms
- Anti-malware solutions
- Physical and logical access controls
- Audit logging mechanisms
- Segmentation controls
- Automated security testing tools
They can also expect to see increased scrutiny of their own security controls as they implement more stringent monitoring processes.
Tamper Protection Mechanisms
PCI 4.0 will require entities to have a mechanism to detect and alert personnel of unauthorized modification to the HTTP headers and contents of payment pages as received by the consumer browser.
This tamper protection mechanism will ensure that scripts on a payment page are authorized, which will add another layer of security to online transactions.
Covert Malware Communication Channels
PCI 4.0 will require IDS/IPS systems to detect covert malware communication channels. Organizations must be able to identify and detect attacks and communication over protocols, ports, and channels not designed for that type of communication.
New technology might need to be deployed or configuration changes might need to be made to the existing IDS/IPS system to detect covert malware channels. This could impact your technology stack.
To prepare for these changes, businesses should review their current compensating controls and existing requirement implementations to better understand the impact of the new approaches—and plan accordingly.
Identify technologies that satisfy the requirements and budget for the tooling and implementation. The new requirements may require additional training or education for users and stakeholders, so plan accordingly.
Complying with the new PCI 4.0 requirements can be challenging, but it’s a crucial step toward unlocking new business opportunities, partnerships, and improved user experiences.
By adopting the necessary changes to meet these requirements, SaaS platforms can not only enhance their security posture, but also work more cohesively with multiple payment service providers.
Jonathan has worked in information technology since 2010. He’s a technical lead for services related to information technology, with a specific emphasis in information security. He can be reached at email@example.com or (801) 907-4332.
Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered by Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC.