Some of the goals of these changes include:
Continue to meet the security needs of the payments industry.
Why it is important: Security practices must evolve as threats change.
Examples:
- Expanded multi-factor authentication requirements.
- Updated password requirements.
- New e-commerce and phishing requirements to address ongoing threats.
Promote security as a continuous process.
Why it is important: Criminals never sleep. Ongoing security is crucial to protect payment data.
Examples:
- Clearly assigned roles and responsibilities for each requirement.
- Added guidance to help people better understand how to implement and maintain security.
Increase flexibility for organizations using different methods to achieve security objectives.
Why it is important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.
Examples:
- Allowance of group, shared, and generic accounts.
- Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
- Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.
Enhance validation methods and procedures.
Why it is important: Clear validation and reporting options support transparency and granularity.
Example:
- Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.
The following guides may be useful to you:
How to complete the annual SAQ validation and/or upgrade version
To see more details of the new version of PCI 4.0, see here
PCI DSS quick reference guide
