Security

Understanding PCI DSS 4.0: A Guide for IT Leaders in Retail

As the retail industry continues to evolve, so do the credit card protection standards. PCI DSS 4.0 is the latest security standard to hit.

Lily Lopate

Twitter

Lily is a Senior Editor at BizTech Magazine. She follows tech trends and the IT leaders who shape them — reporting on entrepreneurial business, security and thought leadership.

Every time a customer taps his or her credit card at checkout, it’s the retailer’s responsibility to process it and protect the cardholder’s data. But with so much data transmitted behind the scenes, the actual security process can be mysterious. How is the data actually protected? And how can IT leaders be certain they’re doing enough on the back end to prevent fraud and data breaches?

That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in. Every year, the PCI Security Standards Council (PCI SSC) issues a new set of compliance rules, along with documentation, that every business — whether they process fifty transactions or 500 million — must follow.

The newest standard, PCI DSS v4.0, announced in 2022, became effective on March 31, 2024. It’s something that every e-commerce, brick-and-mortar or big-box retailer must comply with. The new version’s requirements are twofold. The first part asked companies to update their documentation guides by the end of March this year and complete a mandatory security self-assessment. If a retailer processes 6 million or more transactions in a day, they must solicit a technology partner, such as CDW, to run the assessment. The second part — due March 31, 2025 — is more complex, as it asks retailers to comply with a set of entirely new criteria, “80 to 90 percent of which are brand new to the industry,” says Brett Phillips, managing director of cybersecurity strategy at CDW.

Click the banner to learn about the comprehensive IT solutions modernizing the retail experience.

According to Forbes, experts say this new version, which is the “most impactful transformation of the standard since version 2.0 over a decade ago, introduces several changes, transitions and goals.” Any business that fails to meet these requirements will be looking at fines and compliance delays, Phillips explains.

Understanding the difference between PCI DSS 3.2.1 and PCI DSS 4.0 is crucial; it’s a key step in protecting customer data. And although the 12 core requirements are unchanged, 4.0 introduces more robust security measures such as MFA requirements across all platforms, more complex passwords and continuous, targeted assessments to treat security as an ongoing effort.

Here’s what IT leaders, particularly those in retail, need to know:

What Is PCI DSS 4.0?

PCI DSS 4.0 is the latest iteration of the standard set by the PCI SSC. “Think of it as credit card insurance,” says Phillips. “If you do all the things you're supposed to do, you really shouldn't see a tangible benefit because everything's just protected,” he says.

But it’s not just the merchants and customers who want their data protected; the push for security is also coming from Visa, MasterCard, Discover, Amex and other credit providers, says Phillips. The banks and credit card companies also want these controls. If a retailer is compliant with these standards, they are demonstrating to their customers, partners and stakeholders that they value their brand reputation and want to make the whole shopping experience safe and secure. “It's a trust exercise,” says Phillips.

PCI DSS 4.0 introduces 64 new requirements — most aimed at continuous risk assessment, privileged access and data management. The new standard also aims to “create an ecosystem of third-party technology partners, all of whom are also PCI-compliant, to improve overall security,” Phillips says.

What Are the Key Aspects of PCI DSS 4.0?

The new standard also covers incident response planning and employee training. This ensures that all employees adhere to security protocols so that everyone is better equipped to know the signs of a hack and to remediate any threats.

PCI DSS 4.0 also goes deeper into network segmentation guidelines, encouraging businesses to isolate and test sections of their network and ensure proper privileged access at each point. This is a widely recognized best practice, especially after the 2013 Target data breach, says Phillips. The retailer that “everyone shops at,” he says, ended up having to pay $18.5 million to settle claims by 47 states, according to NBC News. Investigators found that an attacker entered the network through the HVAC system and eventually made its way to the point of sale. Target’s story became a cautionary tale: Your AC system should not be able to communicate with your checkout.

PCI 4.0 also includes more advanced requirements for regularly updating passwords and securing Internet of Things devices with a zero-trust model or secure access service edge architecture.'

If you do all the things you're supposed to do, you really shouldn't see a tangible benefit because everything's just protected.”

Brett Phillips Managing Director of Cybersecurity Strategy, CDW

How Does It Differ from PCI DSS 3.2.1?

PCI DSS 4.0 has a few significant changes compared with its predecessor, version 3.2.1. Here are some of the key differences:

E-commerce scammer protections: If a customer is checking out using a retailer’s website, there may be hidden malware on the customer’s browser. If so, as soon as the customer enters credit card details, Phillips says, the malware can intercept the entire transaction. E-commerce scammer protections are an extra safeguard to ensure that all application code and scripts are present at the payment page.

A targeted risk assessment: Prior to 2024, retailers were required to physically inspect any point-of-sale card terminals. Now, they must perform a deeper examination of the transaction device, the network and the security architecture around it by “passing a targeted risk assessment, or TRA, which is a PCI term,” says Phillips.

More multifactor authentication: PCI DSS 4.0 puts an emphasis on MFA — particularly when it comes to privileged admin or application accounts. These “forgotten accounts,” Phillips says, do not belong to any one individual, yet they provide a lot of access and are often left without password upgrades, posing another easy entry point for attackers.

Continuous compliance: Unlike the periodic assessments required by PCI DSS 3.2.1, the new standard insists on ongoing monitoring to encourage a “forever security” mentality.

DIG DEEPER: 4 ways retailers can raise their security IQ.

What Are Some PCI DSS 4.0 Requirements?

The requirements for PCI DSS 4.0 are extensive, but here are a few core mandates:

Implement robust firewalls and secure network configurations to protect cardholder data.
Use strong encryption methods to protect the storage and transmission of cardholder data.
Set up a vulnerability management program, with training, that can be regularly updated.
Enable strong MFA access control measures so that cardholder data is restricted and controlled.
Conduct regular security tests to continuously monitor for vulnerabilities.
Develop and enforce a comprehensive security policy that covers all aspects of data protection.

What Documentation Is Out There?

There are several resources IT leaders can turn to to get all criteria satisfied by the PCI deadline. The PCI DSS 4.0 Standard Document is a comprehensive guide that outlines all of the requirements for achieving compliance. There are also the self-assessment questionnaires (SAQs), which help organizations assess their compliance status and identify areas for improvement. And finally, the PCI DSS prioritized approach helps organizations with their compliance efforts step by step.

PCI DSS 4.0 represents a significant advancement in the credit card security standard. Staying compliant not only helps protect sensitive data but also enhances the overall security of retail operations.

UP NEXT: The handheld technology that is reducing friction for shoppers.

DGLimages/Getty Images