If your organization is preparing for PCI compliance for the first time since v4.0 was published, there are many factors you need to consider. This comprehensive PCI DSS 4.0 checklist accounts for the timeline, assessment protocols, requirement scope, and options for flexibility.
Are you ready for PCI validation and compliance? Schedule a consultation to find out!
Everything You Need to Know about PCI DSS 4.0
Organizations preparing for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) version 4.0 should organize their obligations into a checklist. This facilitates seamless compliance by giving you visibility into what needs to be done (and by when) to comply.
In particular, your comprehensive PCI DSS 4.0 checklist should cover:
- The timeline to compliance, or when PCI DSS 4.0 will be mandated by
- The assessment protocols for organizations at different PCI DSS levels
- All the PCI DSS 4.0 controls that all organizations need to implement
- Considerations for implementation through compensating controls
- Considerations for implementation through the customized approach
Working with a qualified PCI advisor will help you expand upon your PCI DSS 4.0 checklist in Excel or elsewhere into a robust, actionable strategy for comprehensive, efficient compliance.
PCI DSS 4.0 Timeline for Implementation
The first item on your checklist should account for the time you have until you need to install PCI DSS 4.0 controls and conduct an assessment. PCI DSS v4.0 was officially published on March 31, 2022. However, organizations are not expected to have adapted to the still-new framework immediately. Instead, the publication began a transitional phase to allow organizations to prepare for future v4.0 audits. PCI DSS v3.2.1 will remain in effect until March 31, 2024.
As of March 31, 2024, organizations will be expected to have a selection of new v4.0 controls met. But future-dated requirements, new to v4.0, will not be required until March 31, 2025.
This is the simplest of the checklist items, but it should not be taken for granted. Organizations should take care to give themselves enough time well in advance of March 2025 to facilitate assessments. Not being prepared or having to reassess heightens the risk of noncompliance.
Download Our PCI DSS 4.0 Checklist
PCI DSS 4.0 Assessment Requirements by Level
Although the PCI implementation requirements are the same for all organizations, assessment protocols differ depending on the number of transactions and amount of CHD you process. It’s critical to understand your assessment needs alongside your timeline to schedule accordingly.
There are three forms of documentation you may need to fulfill to achieve PCI compliance. The Self-Assessment Questionnaire (SAQ) typically applies to organizations with the fewest annual transactions, the Attestation of Compliance (AOC) applies to those with moderate volume, and the Report on Compliance (ROC) applies to organizations with the most annual transactions.
Each PCI stakeholder uses different thresholds. For example, consider VISA’s PCI levels:
- Level 4: SAQ – Fewer than 20,000 transactions per year
- Level 3: SAQ and AOC – 20,000 to one million transactions per year
- Level 2: SAQ and AOC – One to six million transactions per year
- Level 1: ROC and AOC – Over six million transactions per year
Work with a PCI advisor to understand what level of reporting your organization needs. The AOC and ROC forms generally require working with a Qualified Security Assessor (QSA).
Functionally, this checklist item has two possible components: understanding your PCI Level and, if applicable, securing a third-party assessment partner for AOC or ROC reporting.
PCI DSS 4.0 Requirements for All Organizations
This is the most substantial part of any PCI DSS 4.0 checklist. It comprises 12 Requirements your organization will need to meet, along with sub-requirements and other specifications.
The full list of PCI DSS 4.0 controls breaks down as follows:
- Installing and Maintaining Network Security Controls –
- Clearly defining policies and processes for maintaining network security
- Configuring and maintaining Network Security Controls (NSC)
- Tightly restricting access to the CHD environment (CDE)
- Controlling connections between trusted and untrusted networks
- Mitigating risks to the CDE from connections to untrusted networks
- Applying Secure Configurations to System Components –
- Clearly defining policies and processes for applying secure configurations
- Installing and maintaining secure configurations across system components
- Installing and maintaining secure configurations across wireless networks
- Protecting All Stored Account Data –
- Clearly defining policies and processes for protecting stored account data
- Minimizing the overall amount of account data retained in storage
- Not retaining sensitive account data (SAD) after authorization
- Restricting view and copy access to primary account numbers (PAN)
- Securing all PANs that are retained in storage
- Securing cryptographic keys used to protect account data
- Clearly defining policies and processes for managing keys securely
- Encrypting CHD for Transmission on Open Networks –
- Clearly defining policies and processes for encrypting CHD
- Securing PANs with strong cryptography prior to transmission
- Protecting Systems from Malicious Software –
- Clearly defining policies and processes for protecting against malware
- Detecting, preventing, and addressing malware when it appears
- Installing and monitoring the efficacy of anti-malware mechanisms
- Installing anti-phishing mechanisms to protect users from social engineering
- Developing and Maintaining Secure Systems and Software –
- Clearly defining policies and processes for developing secure systems
- Developing bespoke or customized software in a secure manner
- Identifying and addressing vulnerabilities in software development
- Safeguarding all public-facing web apps against common threats
- Managing changes to apps and software in a secure manner
- Restricting Access to CHD by Business Need to Know –
- Clearly defining policies and processes for restricting access by business need
- Appropriately defining and assigning access to system components in the CDE
- Managing access to CDE system components in a systematic manner
- Identifying Users and Authenticating Access to Systems –
- Clearly defining policies and processes for identification and authentication
- Managing user and administrator IDs throughout account lifecycles
- Establishing strong authentication for user and administrator accounts
- Implementing multi-factor authentication (MFA) to secure CDE access
- Configuring MFA systems in a secure manner securely to prevent attacks
- Strictly managing accounts’ and authenticating factors’ access and usage
- Restricting Physical Access to Systems and Networks –
- Clearly defining policies and processes for physically restricting access to CHD
- Implementing physical access controls at all entry or access points to the CDE
- Authorizing and managing physical CDE access for personnel and visitors
- Storing, accessing, and destroying CHD media in a secure manner
- Protecting point of interaction (POI) devices from tampering and misuse
- Logging and Monitoring Access to System Components –
- Clearly defining policies and processes for logging and monitoring CHD access
- Supporting threat detection and analysis with consistent audit logs
- Safeguarding audit logs against unauthorized access and changes
- Reviewing audit logs for anomalous or suspicious activity
- Retaining audit log history for future forensic analysis
- Supporting consistent time settings with time synchronization
- Detecting, reporting, and addressing failures of security systems
- Testing System and Network Security Regularly –
- Clearly defining policies and processes for network security testing
- Monitoring wireless access points and addressing unauthorized points
- Identifying, prioritizing, and addressing internal and external vulnerabilities
- Regularly conducting internal and external penetration testing
- Detecting and addressing network intrusions and unexpected changes
- Detecting and addressing unauthorized changes to payment pages
- Supporting Security with Organizational Policies and Programs –
- Creating and maintaining up-to-date and comprehensive security policies
- Defining and implementing policies for acceptable use across technologies
- Formally identifying, evaluating, and managing risks to CHD and the CDE
- Managing policies and processes for seamless PCI DSS compliance
- Carefully documenting and validating PCI DSS scope for compliance
- Continuously training and assessing employees on security awareness
- Screening personnel to minimize the likelihood and impact of insider threats
- Thoroughly managing risks related to third-party service providers (TPSPs)
- Ensuring that TPSPs support customers’ compliance processes
- Immediately responding to incidents that could impact the CDE
While these Requirements apply by default to all PCI-eligible organizations, there are also supplemental and complemental controls that certain organizations may also need to install.
This checklist item includes the above controls, at minimum, along with…
Additional Requirements for Select Organizations
The twelve DSS Requirements apply to all organizations. There are three sets of additional controls that could also apply if your organization is a multi-tenant service provider, if you use Secure Sockets Layer (SSL) or early transport layer security (TLS) technology to protect point of sale (POS) or point of interaction (POI) terminals, or if you are have been designated to require additional PCI DSS diligence by an acquirer or payment brand due to increased risks to CHD.
The three sets of additional requirements break down as follows:
- Additional Requirements for Multi-Tenant Service Providers –
- Protecting and separating all customer environments and data
- Facilitating incident logging and response for all customers
- Additional Requirements for SSL/Early TLS for POS POI Terminals –
- Confirming POI terminals that use SSL or TLS are not susceptible to exploits
- Designated Entities Supplemental Validation (DESV) –
- Implementing a formalized PCI DSS compliance program
- Validating PCI DSS assessment and implementation scope
- Incorporating PCI DSS into business-as-usual activities
- Controlling and managing logical access to the CDE
- Identifying and responding to suspicious events
Each of these breaks down further into sub-requirements and controls. To cover the total possible scope of compliance, your checklist should account for whether any of these apply.
PCI DSS 4.0 Compensating Control Implementation
For organizations that are unable to meet a given PCI DSS requirement, there are still ways to validate compliance. Compensating controls allow organizations to use alternative methods to meet the baseline security objectives of a given control, as long as the same or a similar level of security assurance is achieved. It requires validation by a third-party assessor (AOC or ROC).
The assessor fills out a compensating controls worksheet with the following information:
- Constraints – The organization must document legitimate technical or business complications that preclude compliance with the original PCI DSS requirement(s).
- Definition of Compensating Controls – The organization must document what the compensating controls are and how they meet the objectives of the original requirement.
- Objective – The organization must define the objective of the original or Customized Approach objective, along with the objective met by the stated compensating control.
- Identified Risk – The organization must identify any additional risks posed by the compensating control that would not be expected under the original required control.
- Validation of Compensating Controls – The organization must define how the compensating controls were validated through assessment, usually through a QSA.
- Maintenance – The organization must define what processes are in place to maintain the customized control such that it provides the same security assurance over time.
This checklist item starts with identifying standard PCI requirements that your organization has a legitimate obstacle to meeting, along with possible alternative methods for achieving security.
PCI DSS 4.0 Customized Approach Implementation
The Customized Approach is another alternative way for organizations to achieve full PCI DSS compliance without meeting the Defined specifications of one or more of the Requirements.
Each Requirement contains Defined Approach Requirements and Testing Procedures that explain exactly what is needed for organizational compliance to be validated. But there are also Customized Approach objectives that can be met instead of the Defined ones in ROC reporting.
For example, PCI DSS Requirement 2.3, governing configuration and management of wireless environments, has Defined Approach Requirements including default wireless encryption keys and passwords for wireless access points. The Defined Approach Testing Procedures include examining policies and vendor documentation to ensure these measures are in place. But the Customized Approach Objective simply states that “wireless networks cannot be accessed using vendor default passwords or default configurations.” There is little further guidance.
So, for organizations attempting a Customized Approach validation, the onus would fall upon the assessor to document that the objective is reached, and how, along with any additional risks that may arise due to the methods used to satisfy the objective. In the DSS v4.0, templates for control matrices and risk analysis are made available for assessors to adapt accordingly.
This checklist item has two parts: scoping out whether the Customized Approach would be helpful for your organization and, if yes, selecting a qualified PCI advisor to help achieve it.
Achieve and Maintain PCI DSS 4.0 Compliance
If your organization is preparing for PCI DSS compliance, you should account for the timeline until you need to comply, the protocols for assessing your compliance, the requirements you need to implement and assess, and the multiple options for flexibility in meeting those needs.
But most importantly, you should seek out a quality PCI DSS advisor to facilitate the process.
RSI Security has helped organizations meet their PCI compliance needs for over a decade, well before the most recent edition was published. We are committed to serving organizations like yours, instilling discipline now to unlock freedom and comfort to grow in the years to come.
To get started crafting a PCI DSS 4.0 checklist tailored to your needs, get in touch today!