PCI DSS 4.0 Requirements

Bythomasjraef

There are new broad PCI DSS 4.0 compliance requirements that apply to eCommerce websites. The new requirements add a Level 4 which applies to small eCommerce websites handling less than 20,000 transactions per year. These websites did not previously have to complete requirements for PCI DSS version 3. The deadline for compliance with these is March 31, 2024, with another 51 requirements following a year later on March 31, 2025.

Some examples of website situations where you now need to comply with PCI DSS 4.0:

  • Small eCommerce businesses doing less than 20,000 transactions per year.
  • Website handling simple transactions, such as payments for events or scheduling paid bookings.
  • Websites which have a credit card form somewhere on their website.

These don’t apply to you if your payment processing happens completely on a payment provider domain. For example, if you send out PayPal invoices directly from PayPal, and no step of the process happens on your own domain.

If you are using a hosted platform, such as Shopify, please contact your platform provider for assistance. Shopify, for example, states that their stores are compliant with Level 1, however you may still need to fill out a Self-Assessment Questionnaire (SAQ), you should contact your platform for guidance.

These compliance requirements are contractual based on using the major credit card vendors. They are not specific to any country and apply worldwide. The levels are according to the risk the business poses to cardholders, banks, merchants and processors.

Compliance requirements are centered around 3 main areas: planning, assessment, and designation of responsibilities.

For this post, we are only focused on Level 4 requirements.

Terms of Compliance

Level 4:

  • Generally do not require annual audits.
  • You must complete a SAQ?
  • MasterCard and American Express may require quarterly ASV scans dependent on the SAQ provided. Check with each to determine what scans your organization must complete.
  • Visa decides for each merchant what the ASV scanning requirements are.

Then What?

After verifying that your site is a Level 4, you’ll need to focus on your Cardholder Data Environment (CDE). This is defined as any segment that processes, handles, stores, or even “touches” payment card data. This includes Point of Sale (POS) terminals and online payment pages, data servers including cloud-based servers. This includes web pages where credit card forms are embedded via iframes.

Here, you need to act as a private investigator. Did you ever spin-up a server for testing and you’ve since forgotten about it? It must be included. Diagram the exact path from the web page through the network to the processing and validation. EVERY STEP MUST BE DOCUMENTED. Here are some samples of diagrams.

Segmentation is key in this step. Don’t assume that your order form or shopping cart is part of “the process”. Each component must be listed and tested. Every component is a segment of your CDE. Is your cardholder data stored somewhere for easy future purchases? That’s a segment as well.

In this step, the burden of analysis falls equally on you and the assessor to determine the true scope of the assessment.

How Far Are You?

Exactly how far from compliance is your website? Sometimes referred to as a Gap Assessment, will show you what you must do by the end of March.

What’s needed is a view of where you are, versus where you need to be. This can be a huge time-saver. You may find many areas you’re already compliant, thus saving you time by not reinventing the wheel. 

You’ll do the following when you create your Gap Assessment:

#1. Determine what Level you’re in from above.

#2. See what’s needed at that Level for Compliance.

#3. Map out your CDE.

#4. Analyze the difference between where you are, and where you need to be.

Bring in the Talent

Unless you already have the internal resources to conduct such an audit, you’ll need to contact third-party consultants. You’d be well advised to start reaching out – NOW! Obviously, there is going to be a huge demand for such talent and there’s only so many of them in the world.

You can find good consultants on Upwork. Visa makes it easy on their site as well here.

Cost will be anywhere from $50 an hour up to $250 per hour depending on experience.

Who’s Going to Do What?

There are 13 requirements that must be met by March 31, 2024. Ten of those are focused on identifying who is going to do what. You must start identifying the roles of people and what their responsibilities are. Not only for compliance but also for remediation.

Part of this task involves identifying third-party service providers (TPSP) and what they are responsible for. Sometimes, you’ll use your payment processor as a TPSP. Check with them first.

Something unique with PCI DSS 4.0 is their customized approach. Your organization can meet some select requirements using methods that don’t exactly match the standards, but still achieve the same end result. However, note that each requirement must be approved by a QSA even if your Level says you could avoid the requirement by filling out an SAQ.

PCI DSS 4.0 boldly states, “Entities that complete a Self-Assessment Questionnaire are not eligible to use a customized approach.” That means those who need to comply with Level 2, 3, or 4 are not eligible to use a customized approach.

Checklist – March 31, 2024

  1. Determine your merchant Level.
  2. Check your compliance responsibilities depending on your Level.
  3. Analyze and document your cardholder data environment (CDE).
  4. How far from compliance are you?
  5. Contact third-party service providers (TPSP).
  6. Do you have the necessary resources to comply?
  7. Define roles and responsibilities.
  8. Define roles and responsibilities of TPSPs.
  9. If using a customized approach, have all steps been tested and documented?

Other areas to focus on:

Other areas to focus on

Obviously PCI DSS in general is concerned with malicious software. In their section: Protect Systems from Malicious Software they have subsections as follow:

  • 5.1: Processes for protecting against malware are clearly defined
  • 5.2: Malicious software is detected, prevented, and/or addressed
  • 5.3: Anti-malware mechanisms are installed and actively monitored
  • 5.4: Anti-phishing mechanisms are in place to protect users from scams

Then in a later section:  Identify Users and Authenticate Access to Systems

  • 8.1: Processes for identification and authentication are clearly defined
  • 8.2: All user and admin IDs are managed throughout accounts’ lifecycles
  • 8.3: Strong authentication is established for user and admin accounts
  • 8.4: Multi-factor authentication (MFA) is used to secure CDE access
  • 8.5: MFA systems are configured securely to prevent misuse
  • 8.6: Use of accounts and authenticating factors is strictly managed

As you can see, they now want all merchants to be protecting the cardholder data. No longer can the sites with lower transactions escape their rules.

If you have questions, please reach out to your processing service (PayPal, Stripe, etc) and ask them what areas you need to focus on in order to be compliant.

Similar Posts

Could Your WordPress Security Plugin be Lying?

Bythomasjraef

Many people have received notifications from their cloud server provider indicating their server’s IP address has been reported as attacking other websites. We Watch Your Website’s services have been used frequently to investigate these claims. The following is a recent one that is very interesting. We Watch Your Website has just completed another investigation of…

Leave a Reply

Your email address will not be published. Required fields are marked *