What are the key changes in the PCI DSS v4.0 validation documents?

Changes in the PCI DSS v4.0 validation documents

If you use Adyen’s encrypted solution such as Online payments integration or In-person payments integration, below are key changes in the new version of PCI DSS. These requirements are in scope for merchants accepting credit card payments and assessing with PCI DSS version 4.0.

SAQ A

• New password and expanded multi-factor authentication (MFA) requirements (Requirement 8): Multi-factor authentication is strongly recommended for all system components to provide an extra layer of security to prevent account data compromise. However, where MFA is not implemented and password/passphrase is used as the only sign-in method, the passphrase/passphrase are changed at least once every 90 days. Alternatively, merchants may implement a custom approach of allowing access to system components on a case by case basis based on the security setup of these accounts.
• Security awareness  (Requirement 6): Merchants are required to stay up to date with  alerts or information on new security vulnerabilities from international and local computer emergency response teams (CERTs). 
• Quarterly external vulnerability scans  (Requirement 11): Merchants accepting e-commerce payments are required to perform or have document policies and procedures requiring external vulnerability scans by PCI SSC approved scanning vendors at least once every three months and after any significant change in the payment environment. While four passing scans within 12 months are not initially required, subsequent years mandate passing scans at least every three months. This requirement is effective immediately.

SAQ BIP for In Person Payment (IPP)

• Security update for IPP devices (Requirement 6): If the merchant controls what device update is installed, security patches are required to be managed and installed on the payment terminal according to the severity and impact of the vulnerability identified.

SAQ B-IP for MOTO on Virtual Terminals

• Security update for IPP devices (Requirement 6): If the merchant controls what device update is installed, security patches are required to be managed and installed on the payment terminal according to the severity and impact of the vulnerability identified.
• Access control (Requirement 7): This requirement is limiting the temporary access to cardholder data in the MOTO payment flow by employees’ job classification and function. It is important that individuals are only assigned the user rights when it is needed to perform their job.

SAQ C-VT for MOTO on IPP Device

• Access control (Requirement 7): Much like MOTO on IPP devices, this requirement for MOTO completed via virtual terminals is limiting the temporary access to cardholder data in the MOTO payment flow by employees’ job classification and function. It is important that individuals are only assigned the user rights when it is needed to perform their job.

Future Dated Changes

The following requirements are best practice until March 31 2025 and may be ‘Not Applicable’ in merchant’s assessment. They are only fully in scope with assessments performed after this date. 

SAQ A

• New password requirement: Unlike the minimum requirement of 7 characters in version 3.2.1, the minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters) containing both numeric and alphabetic characters would be required for system components.
• Monitor the integrity of payment page content (Requirement 6 & 11): To reduce the risk of man-in-the-middle attacks, merchants are required to have a procedure in place (such as a change/tamper detection mechanism/technology) to monitor/confirm the integrity of payment page HTTP Header and scripts - including web containing TPSP’s inline frame/iFrame, executed in merchants website/web-application. 

For more information on transition to PCI DSS v4.0, visit Adyen’s PCI DSS compliance guide and our PCI DSS v4.0 compliance blog post.