Currently, the Payment Card Industry Data Security Standard (PCI DSS) is the most widespread and widely used set of standards within the payment ecosystem.
The goal of this standard, which was launched in 2006 by the PCI Standards Security Council, is to ensure that all companies and businesses that process, store or transmit card data maintain the security of that data.
After several updates over the years, the standard has evolved to keep up with new purchasing trends, such as e-commerce or digital commerce, and protect card data against increasingly sophisticated cyber threats.
In fact, the latest version of the standard – the PCI DSS V4 – was released on March 31, 2022. The new version brought with it multiple changes to adapt the regulation to the new reality and 64 new controls.
Within these 64 controls, 13 of them became applicable as of March 31, 2024. The remaining 51 were established as “good practices” until March 31, 2025, i.e. they were not mandatory until now.
However, with the arrival of the new year, we will enter a new milestone in relation to the implementation of the standard. By March 31, 2025, PCI V4 controls that until now have been considered “best practices” will become mandatory.
New mandatory controls to consider for March 31, 2025
Keeping up with the latest changes and PCI DSS compliance requirements can be difficult. Precisely for this reason, it is important to have the advice of a specialized compliance team within the payments ecosystem.
At A2SECURE, our team that works on a daily basis with multiple companies from different sectors has compiled some of the new controls that are important to keep in mind in view of the deadline set by the PCI Council: March 31, 2025.
Below you will find a list of the most important ones.
4.Public Networks
4.2.1.1.a Inventory of keys and certificates for data protection PAN
Examine documented policies and procedures to verify processes are defined for the entity to maintain an inventory of its trusted keys and certificates.
4.2.1.1.b Validation of the updated inventory of keys and certificates
Examine the inventory of trusted keys and certificates to verify it is kept up to date.
5.Anti Malware
5.3.3.a Control over connected USB devices
Examine anti-malware solution(s) configurations to verify that, for removable electronic media, the solution is configured to perform at least one of the elements specified in this requirement:
• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.
5.4.1 Anti-phishing mechanisms
Observe implemented processes and examine mechanisms to verify controls are in place to detect and protect personnel against phishing attacks.
6.Secure Development
6.4.2a Web Application Firewall
For public-facing web applications, examine the system configuration settings and audit logs, and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks is in place in accordance with all elements specified in this requirement:
• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.
6.4.3.a. Control over scripts executed in the client’s browser
Examine policies and procedures to verify that processes are defined for managing all payment page scripts that are loaded and executed in the consumer’s browser, in accordance with all elements specified in this requirement:
• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
7. Roles and Access
7.2.4.a Periodic review of user accounts and associated permissions
Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement:
• At least once every six months.
• To ensure user accounts and access remain appropriate based on job function.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.
7.2.4.b a Validation and periodic review of user accounts and associated permissions.
Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement.
8.Logical Access Controls
8.3.6 Password Policy
Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement:
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
• Contain both numeric and alphabetic characters.
8.4.2 MFA configuration
Examine network and/or system configurations to verify MFA is implemented for all access into the CDE.
10. Monitoring
10.4.1.1 Security event management
Examine log review mechanisms and interview personnel to verify that automated mechanisms are used to perform log reviews
11. Vulnerability management
11.3.1.2.a Authenticated scanning configuration for internal scans
Examine scan tool configurations to verify that authenticated scanning is used for internal scans, with sufficient privileges, for those systems that accept credentials for scanning In addition, policies and procedures will need to justify systems that cannot accept credentials for authenticated scanning.
11.6.1.a Detection and alerting of unauthorized modifications to payment pages
Examine the system configuration, monitored payment pages and the results of monitoring activities to verify the use of a mechanism to detect unauthorized changes and manipulations to both HTTP headers and the content of payment pages as received by the consumer’s browser.
12. Policies and procedures
12.3.1 Specific risk analysis for PCI DSS requirements providing flexibility
Examine documented policies and procedures to verify a process is defined for performing targeted risk analyses for each PCI DSS requirement that provides flexibility for how frequently the requirement is performed, and that the process includes all elements specified in this requirement:
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review.
12.10.7a Incident response procedures for card data in unexpected locations
Examine documented incident response procedures to verify that procedures for responding to the detection of stored PAN anywhere it is not expected to exist, ready to be initiated, and include all elements specified in this requirement:
• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as
applicable.
• Identifying whether sensitive authentication data is stored with PAN.
• Determining where the account data came from and how it ended up where it was not expected.
• Remediating data leaks or process gaps that resulted in the account data being where it was not expected.
¿Te gustaría saber cuáles son el resto de nuevos controles que pasarán a ser obligatorios a partir del 31 de marzo de 2025? Download our PCI V4 Starter Guide now and see the complete list of all the controls that will no longer be considered “best practices”.
PCI V4 controls to watch out for
According to our expert team, in addition to these new controls, in view of the PCI V4 audit there are two controls that were already mandatory in 2024 that you should pay particular attention to. Moreover, these two controls are present in almost all action areas (1 to 11).
X.1.2.a Documentation of assigned roles and responsibilities
Review documentation to verify that descriptions of roles and responsibilities for performing the activities in Requirement X are documented and assigned.
X.1.2.b a Verification and understanding of roles and responsibilities
Interview personnel responsible for performing the activities of requirement X to verify that roles and responsibilities are assigned as documented and understood.
____
March 31, 2025 is the deadline to adapt to the new mandatory controls. Do you need help to activate the last phase of your adaptation process and be able to comply with the requirements? Write to us at [email protected]