The last of the Payment Card Industry Data Security Standard (PCI DSS) v4.0 changes are finally coming into effect at the end of Q1 2025. There are 54 requirements that were previously labeled as best practices which will now become full requirements as of March 31, 2025.
Notable Changes to PCI DSS Requirements
In earlier v4.0 or v4.01 assessments, entities could mark certain requirements as “not applicable” without providing an explanation. However, starting March 31, 2025, these items must be implemented by all entities subject to PCI DSS compliance. The significant requirements include the targeted risk analysis (TRA), updates to significant policies, and ongoing maintenance of the following inventories:
- Trusted keys and certificates used on data in transit
- Systems determined to not be at risk for malware
- Bespoke/custom software used in the environment
- Payment page scripts that live in a consumer’s browsers
- Cryptographic cipher suites
- Hardware and software technologies
Emphasis on Requirement 11.6.1
Requirement 11.6.1 has been a key focus at various payment community events, as organizations work to comply with this new requirement. Assessors typically look for evidence of the following to ensure this requirement is met:
- Policy/procedural documentation governing how web browsers and payment pages are monitored by the entity
- Screenshot(s) showing the change detection and alerting configurations
- Reports or other evidence that the entity is monitoring alerts
Third-Party Involvement & Service Expansion
In addition to new inventories and management of payment pages, some requirements may involve hiring an additional vendor or expanding services with an existing third-party:
- Requirement 3.4.2: Copy/paste controls are implemented to prevent primary account numbers (PAN) from being copied and relocated when remote-access technologies are in use.
- Requirement 5.3.3: Removable media is scanned by an anti-malware solution prior to use.
- Requirement 5.4.1: Automated controls are implemented to protect personnel against phishing.
- Requirement 7.2.5: User access reviews must be completed at least every six months. Generally, in larger and/or complex environments, a provisioning tool can be used to automate this process.
- Requirement 8.4.2: Multi-factor authentication (MFA) is used for all to access the cardholder data environment (CDE).
- Requirement 10.4.1.1: Automated mechanisms are used in reviewing audit logs.
- Requirement 11.3.1.2: Internal vulnerability scans (which must be completed every three months) are completed via an authenticated vulnerability scanner.
- Requirement 11.6.1: A change detection/File Integrity Monitoring tool is deployed on any payment pages that the entity may manage.
Policy & Procedure Enhancements
Lastly, March 31, 2025, requires the augmentation of policies and procedures that the entity may be maintaining:
- Incident Response Plan & Procedures: Responding to alerts and procedures generated by requirement 11.6.1, including cases where PAN is detected in unexpected locations.
- Security Awareness Program & Policy: Updating the policy at least annually, inclusive of social engineering tactics and awareness about end-user technologies.
- Data Retention, Storage, Disposal Policies: Addressing any Sensitive Authentication Data (SAD) that is stored before authorization.
- Key Management: Forbidding the use of the same cryptographic keys in both the production and test environments.
How Wolf Can Assist
As of March 31, 2025, all requirements currently labeled as best practices must be fully implemented, according to official guidance. If an entity completes its PCI Report on Compliance (RoC) before March 31, 2025, it should still ensure that the new requirements are implemented, as external parties may request proof of compliance after that date.
Wolf & Company, P.C. offers a targeted gap assessment focused on the upcoming PCI DSS requirements set to take effect at the end of Q1 2025. Our team is ready to support you in navigating these changes. If you have questions about how these updates may impact your CDE, please reach out to us.
