PCI DSS v4.0.1 FAQs for Service Providers

How is PCI DSS v4.0.1 going to impact my business?

Overall impact of PCI DSS v4.0.1

Merchants had until March 31, 2024 before they could longer be able to validate their compliance using version 3.2.1 of the SAQs.

Merchants will need to start validating with version 4.0.1 and should start now to implement any missing controls, especially those future-dated requirements, which need to be in place by March 31, 2025.

SAQs will take longer to fill out

Something to be aware of is that almost every question in the PCI v4 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that businesses will need to answer additional questions, even if nothing in your network has changed.

To help mitigate this, our support agents have mapped as many questions from the 3.2.1 to the 4.0 SAQ. By using SecurityMetrics' FastPass, you could reduce the amount of questions you'd need to answer by a significant amount.

SAQ D service provider changes

The SAQ D Service Provider version 4.0 report has had significant changes and now requires individuals performing the assessment to explain what observations led to their conclusions, as does the Report on Compliance report.

These changes will contribute to a significant increase in time required to perform an assessment and to complete the report.

There are also 11 new requirements which are only applicable to service providers, such as requirement 12.5.2.1, which requires that your "PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment."

To find out the exact changes for service providers, read our blog about Performing an SAQ D Service Provider version 4.0 Self-Assessment.

New requirements for ecommerce security

New PCI DSS v4.0.1 requirements (e.g., requirement 6.4.3 and 11.6.1) requires SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the page(s) used to house the TPSP iframe. Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages.

The SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of these requirements.

What are the actual changes?

The release of the new 4 version may cause anxiety for those already familiar with the current PCI DSS requirements. Rest assured that the 12 core PCI DSS requirements remain fundamentally the same; version 4 is not a totally new standard.

However, PCI DSS v4.0 introduced 64 new requirements (11 of which are only applicable to service providers). Most of these new requirements are future-dated to March 31, 2025, with notable exceptions being requirements around documentation and performing a targeted risk analysis. To find out more about specific requirement updates, check out this resource. There were also significant changes to the wording of questions.

To find out about more of the fundamental changes within PCI DSS v4.0.1, read our white paper PCI DSS Version 4.0.1: What You Need to Know.

Top PCI v4.0 requirement changes

PCI DSS Section 3

• Remote access technology used must prevent copy/relocation of PAN to remote system  (3.4.2) (2025)
• Must use keyed hash (3.5.1) (2025)

PCI DSS Section 4

• SSL certs used for transmission must be inventoried/documented (4.2.1.1) (2025)

PCI DSS Section 5

• Process and mechanism in place to detect and protect against phishing attack (5.4.1) (2025)

PCI DSS Section 6

• Method and process to review, inventory, authorize all scripts on payment pages (6.4.3) (2025)
  • Confirm scripts are authorized and justified (document)
  • Assure integrity of scripts on payment pages (CSP / SRI)

PCI DSS Section 8

• Minimum password length moving to 12 (8.3.6) (2025)
• MFA for ALL access to the CDE + new MFA features required (8.4.2) (2025)
• Can’t put system/software passwords in files/scripts (8.6.2) (2025)

PCI DSS Section 10

• No manual log analysis, must automate (10.4.1.1) (2025)
• Failure of critical security controls detected, alerted, responded (10.7.2) (now)

PCI DSS Section 11

• Internal VA scans must include authenticated scanning techniques (11.3.1.2) (2025)
• SAQ A added external VA scans (11.3.2) (now)
  • This is not FIM
  • Detects new scripts or changes to included scripts, runs at least weekly
  • Applicable to SAQ A, A-EP, D for Merchants, and D for Service Providers
• Deploy change and tamper detection system for payment page monitoring (11.6.1) (2025)

PCI DSS Section 12

• Annual scope confirmation process more formal, moved out of introduction (12.5.2) (now)
  • Every 6 months for Service Provider (12.5.2.1) (2025)
• Regular Data Discovery technology needed for above tasks (12.5.2)
  • Exercise incident response as soon as PAN detected where not expected (12.10.7) (2025)
• Require employee training on Phishing and Social Engineering (12.6.3.1)

New PCI v4 service provider-only requirements

• (3.3.3) SAD stored by issuers is encrypted using strong cryptography.
• (3.6.1.1) A documented description of the cryptographic architecture includes prevention of the use of cryptographic keys in production and test environments.
• (8.3.10.1) If passwords/passphrases are the only authentication factor for customer user access, passwords/passphrases are changed at least every 90 days or the security posture of accounts is dynamically analyzed to determine realtime access to resources.
• (11.4.7) Multi-tenant service providers support their customers for external penetration testing.
• (11.5.1.1) Covert malware communication channels detect, alert and/or prevent, and address via intrusion-detection and/or intrusion-prevention techniques.
• (12.5.2.1) PCI DSS scope is documented and confirmed at least once every six months and upon significant changes.
• (12.5.3) The impact of significant organizational  changes on PCI DSS scope is documented  and reviewed and results are communicated  to executive management.
• (12.9.2) TPSPs support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP.
• Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers
  • (A1.1.1) The multi-tenant service provider confirms access to and from customer environment is logically separated to prevent unauthorized access
  • (A1.1.4) The multi-tenant service provider confirms effectiveness of logical separation controls used to separate customer environments at leave once every six months via penetration testing.
  • (A1.2.3) The multitenant service provider implements processes or mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities.

Tips to Start PCI v4.0.1 compliance

While there is plenty of time to prepare for v4.0, start your transition to implement PCI v4.0.1 requirements early. You can move to v4 SAQ now, while working to implement future-dated requirements over the next year.

1. Get up to speed on PCI v4.0.1 changes

• Read the Changes Document
  • https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r2.pdf
• Read Introductory sections (e.g., scoping, definitions, Business as usual section)
  • https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
• Review whole standard, including changes in the guidance columns
  • https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
• Read PCI DSS v4 blogs and white papers
  • https://www.securitymetrics.com/blog/pci-dss-v40
  • https://www.securitymetrics.com/learn/pci-dss-v40
• Talk to a QSA about PCI v4.0.1
• Make a list of future-dated requirements that will affect you
  • https://www.securitymetrics.com/learn/key-pci-dss-v4-0-requirements    

2. Prepare for your PCI v4.0.1 assessment

• Document and confirm your PCI scope annually (to ensure all flows and locations of cardholder data are taken into account)
• Work with a QSA to get a v4.0.1 gap analysis
• Consider working with a QSA or third party on your annual targeted risk assessment for each PCI requirement
  • Note: The Customized Approach will be a bigger lift compared to the Defined Approach. Mature IT and risk organizations are needed to implement.
• If you do decide to use the Customized Approach, you need to start your preparation now.
• Find and test solutions for future-dated requirements before 2025

How can SecurityMetrics help?

Simplifying your merchants' SAQ process

Our support team has already mapped the new PCI version 4 questions. When you fill out the PCI v4 SAQ with SecurityMetrics, you won’t need to re-fill out the entire SAQ again.

Providing your merchants with compliance tools

We also have a variety of security and compliance products for merchants from level one to level four.

For example, the SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of the new requirements 6.4.3 and 11.6.1.

Receive the most up-to-date education

SecurityMetrics has produced a number of educational materials about PCI DSS v4.0 for you to reference. We’ll also continue creating content to help you know what requirements you should focus on to achieve compliance with PCI DSS version 4.0.

We’re here to help you, so feel free to reach out to us with any questions!