The PCI Security Standards Council released PCI Data Security Standard (PCI DSS) Version 4.0 on March 31, 2022, marking a significant update from version 3.2.1. This new standard became the only active version as PCI DSS 3.2.1 was retired on March 31, 2024, impacting businesses that handle credit card data and includes 64 new requirements.

The good news? Most of these “future-dated” changes are not mandatory until March 31, 2025. This gives organizations time to prepare for the updates with the guidance and expertise of LBMC.

Our podcast series takes a closer look at many of these new requirements, one by one, helping you understand the changes and their potential impact on your business.

Additionally, we offer a webinar that provides an overview of PCI DSS 4.0 to ensure your organization is on track for compliance.

Cybersecurity Sense Podcast Series

Requirement 1 – Jan 12, 2023

In this episode, William Parks, Andy Kerr, and Kyle Hinterberg discuss the latest in PCI news and how to master Requirement 1 while preparing for PCI 4.0.

Requirement 3 – Mar 29, 2023

In this episode, William Parks, Andy Kerr, and Kyle Hinterberg discuss the latest in PCI news, new restrictions around PAN data, and how to master Requirement 3 while preparing for PCI 4.0.

Requirement 4 – Aug 8, 2023

This episode covers key PCI developments, an in-depth exploration of Requirement 4, and a helpful QSA Q&A.

We kick off this episode by previewing the upcoming PCI Community Meeting in Portland and discuss our hosts’ presentation on “Generative AI: Your New Secret Weapon or an Insider Threat?” We also talk about the INFI worksheet and the importance of Continuous Compliance.

In the Requirement 4 segment, we focus on strong cryptography, robust security protocols, and the need to secure PAN during transmission over public networks. We highlight industry best practices for wireless networks transmitting PAN and the necessity to secure PAN when using end-user messaging technologies.

A QSA Q&A session wraps up our episode and tackles the issue of responsibility for PCI compliance when using third-party payment services.

Requirement 5 – Sep 5, 2023

We kick off with a sneak peek into the upcoming PCI North America Community Meeting in Portland and introduce the newly launched PCI Community Job Board—a dedicated platform for security talent and job postings in the payment industry.

Next, we delve into Requirement 5, shedding light on anti-malware solutions. We explore the criteria for system components which do not require anti-malware, delve into the specifics of anti-malware implementation, and highlight the periodic evaluations required for maintaining optimal security.

Wrapping up, our QSA Q&A segment addresses a common query: the rotation of QSAs in organizations.

Requirement 6 – Oct 17, 2023

We kick things off with key insights from the recent PCI Community Meeting. Next, we dive into Requirement 6, discussing the essence of secure software development, from processes to security vulnerabilities, web application protection, and change management.

Our QSA Q&A segment addresses a vital question: What documentation should you expect from PCI DSS compliant service providers?

Requirement 7 – Nov 7, 2023

We kick off with a news segment spotlighting the new SAQ SPOC (Software PIN Entry on COTS) which includes portions of PCI DSS Requirements 3, 8, 9, and 12.

Transitioning to Requirement 7, we discuss restricting access to system components and cardholder data based on business necessity, delving into sub-requirements 7.1 to 7.3, and discussing the principles of ‘need to know’ and ‘least privileges.’

Our QSA Q&A segment addresses the applicability of Requirement 7 to customer/cardholder accounts, clarifying the scope and the specific entities impacted by this requirement.

Requirement 8 – Jan 11, 2024

We begin with a news segment highlighting the PCI SSC’s TRA Guidance. Next, we delve into Requirement 8 of the PCI DSS, dedicated to identifying users and authenticating access to system components. We’ll explore the intricate details of this requirement, covering sub-requirements 8.1 to 8.6. These discussions will include processes for user identification, strict management of user and administrator accounts, strong authentication methods, and the implementation of multi-factor authentication (MFA) to ensure the security of cardholder data environments (CDE).

Our QSA Q&A segment then addresses a critical question: Do all accounts need to comply with these requirements? We’ll provide clarity on the scope, applicability, and exceptions, helping listeners understand the nuances of compliance.

Requirement 9 – Jan 30, 2024

In this January edition of the PCI Monthly Update, we’re on the brink of exciting changes with version 4.0 just around the corner! We start with a spotlight on the ongoing Request for Comments (RFC) period for PCI DSS v4.0, inviting insights from industry experts. Plus, we discuss the Global Content Library, showcasing insights from the 2023 Community Meetings.

Our focus then shifts to Requirement 9, where we break down the critical protocols for restricting physical access to cardholder data. We’ll cover everything from documenting security policies to managing visitor access, ensuring secure storage and destruction of media with cardholder data, and protecting Point of Interaction (POI) devices from security threats.

Wrap up with us as we consolidate today’s takeaways and prepare you for what these updates mean for your compliance strategy.

Requirement 10 – Mar 19, 2024

we’re counting down to the launch of PCI 4.0! We start this month’s podcast with a reminder that v4.0 goes into full effect on March 31.

Our focus then shifts to Requirement 10 covering logging and monitoring all access to system components and card holder data and what is changing with v4.0.

Requirement 11 – Apr 30, 2024

We begin with a news segment covering the launch of PCI v4.0 and the ins and outs of the new INFI (Items Noted For Improvement) Worksheet.

Next up, we’ll cover Requirement 11 – Test security of systems and networks regularly. This requirement can either be the easiest or hardest for organizations depending on their setup. Our QSA experts provide their insights on best practices and what has changed in v4.0.

This episode is a must-listen for professionals seeking to stay informed and improve their organization’s payment security and compliance.

Requirement 12 – May 21, 2024

We begin with a news segment covering the impact of PCI v4.0 and how organizations are adjusting. In case you missed it – Andy Kerr joined PCI Practice Partner Stewart Fey for an interactive Q&A session on PCI 4.0. If you’re interested in watching this session, reach out to our team for a link.

Next up, we’ll cover the last requirement – Requirement 12 – the “Information Security Catch-All Requirement.” This requirement covers all security functions including policies, security awareness, incident response, etc. Our QSA experts provide their insights on what’s changed with v4.0 and share some experiences in the field.

As you can see there is a lot to take in! However, LBMC has you covered. Our QSA experts live and breathe PCI compliance and are hard at work processing all the changes and thinking about how they will impact our clients and future clients. If you want to talk more about ensuring your organization will be ready for PCI 4.0, please email Shareholder Stewart Fey, CISA, CISSP, QSA at Stewart.Fey@lbmc.com.