The IT security world is going through some major changes right now. With new security trends, emerging threats, and the ever-shifting business landscape, we’re seeing significant developments in compliance requirements. For businesses handling payment data, one of the most important updates is the new PCI DSS 4.0 standard.
Ensure Your PCI Compliance, Speak to an Expert Today!
PCI 4.0 is here! Don’t risk non-compliance. Get a free, no-obligation consultation to ensure your business meets the latest security standards and avoids costly penalties
What’s PCI DSS All About?
If you’re not familiar with it, the Payment Card Industry Data Security Standard (PCI DSS) is basically the rulebook for how organisations should handle payment card information. It’s maintained by the Payment Card Industry Security Standards Council – a group of major payment card providers and industry experts.
The whole point of PCI DSS is to boost payment card security and establish consistent data protection measures worldwide. It provides essential requirements to address threats to the payment ecosystem, focusing particularly on environments that handle payment card data.
Understanding the Scope of PCI DSS
The first step in getting compliant is understanding what data the standard covers:
Cardholder Data:
- Primary Account Number
- Cardholder Name
- Card Expiration Date
- Service Code
Sensitive Authentication Data (SAD):
- Full Track Data
- Card Verification Codes
- PINs/PIN blocks
It’s worth noting that the standard doesn’t specifically address other types of personal information like Social Security Numbers or dates of birth.
The environment subject to the standard includes all systems that store, process, or transmit cardholder data and sensitive authentication data. This also covers components that are indirectly connected to the cardholder data environment, such as systems on the same network segment or components that support PCI DSS requirements.
There are two tiers of compliance requirements:
- The first tier applies to service providers, payment processors, merchant gateways, and large-scale payment facilitation and data storage services.
- The second tier applies to terminal services, smaller-scale payment services, and data storage entities.
Important deadline to remember: 31st March 2025. That’s when everyone needs to be compliant with PCI DSS 4.0.
What’s New in PCI DSS 4.0?
PCI DSS 4.0 is a significant step forward in addressing emerging threats. It places greater emphasis on:
Enhanced Cryptography Requirements
A major focus of the new standard is the use of cryptography and managing cryptographic assets:
- Masking requirements: All but the last four digits of the Primary Account Number must be masked when displayed. Data tokenisation using Format Preserving Encryption allows for seamless obfuscation.
- Protocol security: There’s now a requirement to justify any presence of insecure services, protocols, and daemons – effectively prohibiting older, insecure versions of protocols like Transport Layer Security.
- Advanced hashing: Hashing of the Primary Account Number must be performed with a keyed hash operation (like Hash-Based Message Authentication Code or Cipher-Based Message Authentication Codes).
- Certificate usage: Certificates must be used to protect the transmission of Primary Account Number over public networks.
- Key management: The standard prevents the usage of the same cryptographic keys in production and test environments.
- Data-at-rest protection: Sensitive Authentication Data must be encrypted at rest.
- Database-level encryption: Disk-level encryption is no longer sufficient – cardholder data needs to be independently encrypted at the database level, which means implementing database encryption and/or data tokenisation.
- Cryptographic inventory: All cryptographic assets must be inventoried, including software and hardware components, cryptographic keys and protocols, Hardware Security Modules, Key Management Systems, and other secure cryptographic devices.
Additional Operational Measures
Beyond cryptography, PCI DSS 4.0 introduces stricter requirements for:
- Password management: Increased minimum password length (from 7 to 12 alphanumeric characters), maximum password lifetime of 90 days, prohibition of hard-coded passwords, password protection (i.e., secrets management), and tracking of password usage.
- Multi-factor authentication: Mandatory for all access to the Cardholder Data Environment, with proof of secure implementation. All factors must be completed successfully before authentication is granted, and authentication failures should not reveal which factor failed.
- Code security: Code review and internal vulnerability scanning using authenticated tools, with secure storage of vulnerability assessments.
- Monitoring: Automated log monitoring and flagging of events, detection of covert malware on Intrusion Detection and Prevention Systems.
- Regular assessment: Annual scoping of the Cardholder Data Environment and formal security awareness training.
Why Compliance Matters
If your business processes credit card payments or handles financial information, complying with PCI DSS isn’t optional. Violations can lead to substantial penalties that impact your cash flow and your company’s financial health. Understanding the new requirements of PCI DSS 4.0 and developing a plan to meet the March 2025 deadline is essential – both for your business and your customers.
How Revo PCI Helps You Achieve Compliance
At Revo PCI, we provide an ideal platform for organisations on their journey to PCI DSS compliance:
- Complete key lifecycle management for hybrid multicloud workloads through a single-pane-of-glass administrative and operational control system
- Natively integrated FIPS 140-2 level 3 certified HSM, available on-premises or as SaaS
- Comprehensive discovery capabilities to identify all encryption assets and cloud data services, assess security policy and compliance gaps, and remediate issues at scale
- Flexible key metadata management, including custom key metadata attributes, mature reporting, and automated key indexing and inventorying
- Zero Trust architecture with granular Role-Based Access Controls, Quorum Approvals, and other advanced operational and security features
- Data Tokenisation using Format Preserving Encryption, delivering vaultless solutions that support various datasets and can be reversed on the fly based on granular policy controls
- Extensive API capabilities with SDKs for different programming languages and integration options with standard identity providers, multifactor authentication solutions, and Security Information and Event Management systems
- Future-proof security with rapid updates to the latest NIST-recommended, quantum-proof cryptographic algorithms
- Enterprise-ready platform built on Confidential Computing that undergoes regular internal and external security assessments
About Revo PCI
Revo PCI is a global leader in data security. We prioritise data exposure management, as traditional perimeter-defence measures leave your data vulnerable to malicious threats in hybrid multicloud environments. Our unified data security platform makes it simple to discover, assess, and remediate data exposure risks, whether it’s to enable a Zero Trust enterprise or to prepare for the post-quantum computing era.
We bring together the very best people in service of our mission, including recognised industry pioneers and experts in cryptography and Confidential Computing. For more information, visit our website or get in touch with our team today.