On March 31, 2025, the new PCI 4.0 requirements will come into effect. These requirements have been forward-dated so that organizations can prepare for adoption.
Not since Cisco released the PCI 2.0 Retail Design Guide in 2011 has there been an update as extensive as PCI 4.0. This update has a number of changes and as such has been phased into more than 2 phases starting in 2024. Overall, the principles of the existing Cisco 2.0 Retail Design Guide are consistent, with tightening requirements and the addition of newer technologies. Therefore, we will use it as the existing 2.0 framework as a basis for discussing the new requirements in PCI 4.0. For a comprehensive overview of PCI DSS requirements as well as the tools to meet them, this blog provides a little more depth.
What’s new in PCI 4.0?
New security requirements
The big change is the need for ubiquitous multi-factor authentication. There has also been a pervasive strengthening of authentication and password requirements, and new e-commerce and phishing requirements are being added to PCI guidelines.
While not exhaustive, below are some of the new requirements added to PCI DSS 4.0.0 and 4.0.1.
- New requirements for PAN hashing and use on electronic media, as well as copy protection for remote access technologies
- New certificate usage requirements for PAN transfer so that expired or revoked certificates are not allowed.
- New requirements for malware and phishing
- New requirements for e-commerce websites and public web applications
- New requirements for user account control and the use of MFA for all CDE access
- New requirements for system account management and password encryption
- New audit tool requirements for automated log checks
New policies and processes
Security requires technical controls, policy controls, and people. There is now a policy requirement and clearly defined roles in each domain to ensure that all aspects of control are met with clear ownership. This is a larger PCI change overall and helps ensure internal management of all aspects of PCI Compliance.
Increased flexibility thanks to a customized approach
Technology has changed dramatically since the PCI standard was first released. With the adoption of more modern private and public cloud technologies that include event-driven architectures and container technologies, standards must be flexible to adapt to new possibilities. So there is flexibility to ensure that if a compensating control can reasonably achieve a security objective, there is now a tailored approach that can allow firms to innovate while still being compliant.
This is quite a change from previous PCI standards. The customized option allows retailers to explore newer technologies that may not have the same control form and function that traditional technologies used. This is important when evaluating event-driven application architectures, AI tools, and modern cloud-native technologies because it allows some flexibility in adopting modern technologies as customized controls. This topic is broad and beyond the scope of this blog, but can be found in the PCI standard or a summary in the Quick Reference Guide for PCI DSS 4.0.
More details on the requirements, as well as how to meet the security controls that can be used to meet these requirements, can be found here.
Changes in derivatives
The requirement for wireless security has not changed. One of the unique aspects of wireless connectivity in PCI that differs from other technologies is certain requirements (1.3.3, 9.2.3) that apply to all wireless networks, even outside the cardholder data environment. This does not only apply to store environments where wireless card readers are available. Wireless is the public network with the largest attack surface in the retail environment.
What is changing with regards to wireless are the standards themselves. while the 2011 PCI wireless supplication guidelines state that WPA2 and later should be used, WPA3 was released in 2019 and WPA4 is on the horizon. In 2024, NIST published a transition guideline for post-quantum encryption protocols and ending support for these protocols by 2030. This means that in the coming years, retailers will be faced with upgrading their wireless networks to maintain PCI compliance with newer WPA technologies. This is specifically to meet the PCI 4.2.1.2 requirement for all wireless environments that support the transfer of cardholder data that they “use industry best practices to implement strong cryptography for authentication and transfer”. As industry best practices evolve, so must the retail environment.
Please contact your account team with questions or to see how Cisco technology is helping our largest vendors address these new requirements.
Share:
