PCI DSS 4.0 becomes mandatory on April 1 2024 – here’s what you need to consider

Blog

3 Jan 2024

  • Blog
  • PCI DSS 4.0 becomes mandatory on April 1 2024 – here’s what you need to consider

The new PCI DSS 4.0 standard becomes mandatory on April 1 2024 so all organizations that take card payments need a strategy in place to ensure compliance by that date.

The new PCI DSS 4.0 standard becomes mandatory on April 1 2024 so all organizations that take card payments need a strategy in place to ensure compliance by that date. PCI compliance is vital for any organization that takes card payments. If you are not PCI compliant then payment card companies can fine you. Additionally, if you are subject to a data breach then your PCI compliance status will have an impact on the financial penalties that you’re likely to incur. The costs of non-compliance can be significant. So, what’s needed in order to comply and by when does it need to be done?

By when do you need to comply with PCI DSS 4.0?

The revised PCI DSS 4.0 standard was published on March 31 2022. The key deadlines are March 31 2024 which is the date on which the previous version (PCI DSS 3.2.1) is retired. Compliance with PCI DSS 4.0 is compulsory after this date. However, some of the requirements of PCI DSS 4.0 are flagged as best practice until March 31 2025, at which point they too become mandatory. This is to give organizations time to put in place any upgrades to their technology or processes that the PCI SSC believes may be needed for these particular requirements. There are 51 new requirements in PCI DSS 4.0 that all become compulsory on March 31 2025. This is where you should focus initially because reviewing this list will tell you if you’re likely to need to put in place any new technology or solutions in order to meet these requirements. The majority of the changes required by March 31 2024 are small and therefore likely to require only minor changes to your processes or policies.

What changes with PCI DSS 4.0?

The changes in PCI DSS 4.0 are designed to reflect the way in which technology, cyber crime and payments have changed over the last few years. The COVID-19 pandemic changed consumer behavior substantially, in particular through a rapid increase in the use of online and contactless payments. Organizations these days make much wider use of cloud platforms to store personal data and cyber criminals are getting ever more inventive and ingenious. PCI DSS 4.0 is designed to reflect the ways in which the world has changed, however many of the staples of PCI that you are used to will not change. For example: -

  • There are still 12 principal requirements in PCI DSS 4.0.
  • You still have the option to use compensating controls if you wish (although we would always recommend descoping completely from PCI requirements option)
  • The scope of the PCI requirements has not changed.
  • Your compliance status will be assessed by Qualified Security Assessors (QSAs) as before.
  • You can still report your compliance status either through a Self Assessment Questionnaire (SAQ) or an assessor produced report.

What do I need to do by April 2024 to be PCI compliant?

The key changes that you will need to have in place by April 1 2024 are as follows:-

  • The roles and responsibilities for conforming with PCI DSS requirements must be defined.
  • The scope of PCI compliance must be documented – this means that you must define and document the scope of your cardholder data environment both annually and after any significant changes are made.
  • Changes to networks must follow the same change control as all other aspect that are in scope.
  • Any files you use to create your network infrastructure must be secured.
  • You must have documented requirements that are shared between your organization and any third party service providers with whom you have relationships.

What do I need to do by April 2025 to be PCI compliant?

There are 51 new requirements that are compulsory from April 1 2025. The ones that are likely to require you to do the most work or make the most substantial changes are as follows:

  • It will no longer be acceptable to use disk or partition level encryption for any encrypted data that you store.
  • Stored hashes of PANs will need to be cryptographically keyed hashes.
  • You will be required to produce an inventory of all the cryptography that you are using to protect cardholder data, whether in transit or at rest. Going forward, you’ll be required to perform an annual risk assessment of all your uses of cryptography. This requirement is designed to ensure that there is the flexibility needed to adapt requirements if algorithms become less secure as time goes on.
  • Any JavaScript that you have included in your payment web pages must be actively managed and you must respond to any unauthorized changes. This has the potential to be a hard requirement to meet, given that it’s not unusual for websites to have over a hundred such scripts on a page, with at least half coming from third parties.
  • You will be required to use technology designed to detect and prevent phishing attacks. There will also be a requirement to conduct more user training to help your staff better identify and report social engineering attacks such as phishing.
  • Multifactor authentication will be required for all users who are able to access the cardholder data environment, not only those who have remote or administrative access.
  • Your log reviews can no longer be manual but must be automated.
  • You’re already required to maintain an inventory of your hardware and software but from April 2025 onwards you will also need to perform a risk assessment of any assets coming towards their end-of-life and have plans in place to ensure they are secure and replace them as appropriate.
  • Your quarterly internal vulnerability scans must now be authenticated. This has the potential to be one of the most significant changes to an existing requirement and authenticated scanning is likely to throw up many new vulnerabilities within your organization.

Descoping from PCI DSS remains the best option

Achieving and demonstrating PCI DSS 4.0 compliance is likely to place a very significant cost and time burden on organizations. That’s why the better option is to take your operations out of scope of PCI DSS altogether, removing the need for time consuming oversights, reporting and PCI audits. Our CallGuard secure payment solution facilitates this. Using CallGuard means that your customers’ payment card data never enters your contact center environment.

For payments made over the phone, CallGuard uses DTMF and Advanced Speech Recognition technology which effectively eliminates the need to have PCI DSS controls in place in contact centers because the payment card data is captured, encrypted and sent to the merchant’s payment services provider for payment authorization without ever entering the contact center environment or systems, thus reducing risk and removing the need for processes such as monitoring of agents or use of so-called ‘pause & resume’ systems (stop/start of call recordings) to try and control that risk.

Eckoh offers both a self-service IVR solution and an agent assisted solution. The IVR payment solution - Payment IVR - enables your customers to make secure, PCI compliant card payments by phone whenever they want to, without needing to talk to an agent at all. In IVR mode customers can make payment either using their telephone keypad or by using speech recognition if they prefer. Payment IVR is ideal for taking regular, recurring payments such as the payment of utility bills or subscriptions – relatively straightforward transactions where no agent assistance is needed. CallGuard enables the same secure payment to be taken, either by the customer using the touchtone keypad of their phone or advanced speech recognition, but while the customer is on a call with a live agent.

Suppressing or masking DTMF tones enables customers to use their telephone keypad to enter payment card details securely. The tones that are generated as the customer enters their card details are captured by CallGuard. The agent does not see or hear the card numbers, nor are they stored in the call recordings so they cannot then be used to access the customer’s payment card details, making the use of DTMF to capture card data a much more secure option than alternatives such as clean rooms or ‘pausing’ call recording while a payment is made. When speech recognition is used neither the agent nor the call recording are exposed to the card data.

Find out more about how Eckoh can help you descope from PCI DSS requirements

Get in touch if you'd like to find out more about how CallGuard or Payment IVR can help you descope your contact center from PCI DSS requirements altogether.