Staying Compliant: A Look at the Latest PCI Guidelines for Protecting Customer Payment Data

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security guidelines designed to protect cardholder data, secure payment processing, safeguard organizations from breaches and cyberattacks, and facilitate adoption of consistent data security measures globally.  

Since its debut in 2004, the standard has undergone multiple revisions in line with the growing complexity of cyberthreats. Its latest iteration, the PCI DSS version 4.0, was released in March 2022 with organizations given until March 31 to fully comply with its updated requirements. (An additional update, PCI DSS version 4.0.1, was also rolled out in June 2024 to further refine the standard.)  

Quick Overview of the New PCI DSS Version 4.x (Version 4.0 and Version 4.0.1) Requirements 

The PCI DSS version 4.x adds 64 new requirements to its predecessor,  version 3.2.1. Thirteen requirements have already taken effect on April 1, 2024, while the balance of 51 requirements will come into effect on April 1, 2025. Listed below are some key highlights—a combination of both upcoming requirements as well as those that are already in effect (to understand the full scope of changes, refer to the version 4.0.1 documentation):  

Network security controls (NSCs). Version 4.x lays a strong emphasis on comprehensive NSCs to protect data during transmission and to prevent unauthorized access or breaches. The updated requirements go beyond conventional firewalls and routers, introducing more advanced and sophisticated network security measures such as virtual devices, container systems, cloud access controls and software-defined networking technology.  

Encryption and cryptography. Version 4.x introduces stricter password and encryption requirements to enhance data security. The updated requirements include new transport layer security rules that govern the use of cryptographic keys and certificates, mandating stronger encryption protocols to protect sensitive data from unauthorized access. Other requirements include encrypting sensitive authentication data (SAD) and using certificates to verify the identities of entities involved in the transmission.  

Access control. Version 4.x mandates multifactor authentication (MFA) for all accounts (including employees, suppliers, vendors, and accounts used to access third-party cloud services) and systems that access, handle, or store cardholder data. Additionally, the standard introduces stricter password policies, increasing the minimum password length from 7 characters to 12 characters.  

Web application security: Version 4.x requires that organizations deploy a web application firewall (WAF) either on premises or in the cloud to protect public-facing web applications. This firewall must inspect all incoming traffic and consistently detect and prevent web-based attacks. Additionally, the solution must be actively running, regularly updated, capable of generating audit logs, and configured to block attacks or send alerts for immediate investigation.  

Anti-malware and anti-phishing: Version 4.x enhances protection against malware and phishing attacks that can compromise networks or deceive individuals into revealing personal information. It mandates the use of an anti-malware solution that updates automatically, that’s capable of performing real-time scans, that generates audit logs, and that scans removable media (such as USB or flash drives). Processes and mechanisms (such as anti-spoofing controls and link scrubbers) must also be in place to detect and protect personnel against phishing attacks.  

Automated log analysis and vulnerability scanning. Detecting anomalies and malware by analyzing system logs manually is often a time-consuming process. This complexity stems from several factors such as the large number of security tools that must be monitored, the massive volume of security data produced by these tools, and the shortage of skilled security personnel available to manage and interpret the data. Version 4.x requires that organizations leverage automated tools to scan and detect suspicious and anomalous activities.

Key Challenges Posed by the New PCI DSS Standard  

The PCI DSS version 4.x introduces several challenges that further complicate meeting its mandates.   

Compliance complexity. The new standard introduces several new requirements that make it difficult for security leaders to determine the most effective and efficient approach to compliance.  

Upgrade challenges. A majority of organizations have legacy and siloed systems that may not support these new security requirements easily. Significant upgrades to the existing security infrastructure may be needed. Orchestrating such big changes might lead to significant business disruption and downtime.

Challenges with detection and monitoring. Achieving continuous, automated and real-time monitoring is difficult, especially if organizations are using multiple point products.   

Cloud Technologies Can Simplify PCI DSS Compliance 

Secure Access Service Edge (SASE) is a cloud-native model that combines network security functions with software-defined wide area network capabilities to support the dynamic access needs of organizations. SASE combines several security capabilities—secure web gateway, firewall-as-a-service, intrusion prevention system, data loss prevention, zero-trust network access, secure web gateway, and extended detection and response (XDR)—into a single architecture delivered as a cloud service. It paves the road to PCI compliance in several ways: 

Data protection. SASE encryption capabilities protect data at rest and in transit, monitoring encrypted traffic for potential threats and ensuring cardholder data is protected during transmission. Its data loss prevention features control the flow of sensitive cardholder data across networks, cloud applications, and endpoints, ensuring that data is not accidentally or maliciously exposed.   

Security monitoring, detection and response. SASE is a ubiquitous backbone that provides contextual information for all user and data traffic flows. This enables security teams to have an integrated view of security events without having to manually connect the dots.   

The PCI DSS version 4.x represents a significant update in the security controls and processes for organizations managing sensitive cardholder data. While these changes pose new implementation challenges, they also provide an opportunity to enhance security, increase resilience, and build stakeholder trust.  

Daniel Liber is chief information security officer at Cato Networks, a leading network security provider. He was previously group CISO and chief security officer at Playtech, senior solutions architect for Amdocs, and R&D security leader for CyberArk. He holds an MBA from Tel Aviv University.