PCI v4.0.1: What You Need To Know

The PCI Security Standards Council (PCI SSC) has published an update to the Payment Card Industry Data Security Standard (PCI DSS), releasing PCI version 4.0.1. This revision, which follows the release of PCI DSS v4.0 in March 2022, aims to address stakeholder feedback and clarify the focus and intent of some of the requirements and guidance. Most importantly, PCI v4.0.1 does not introduce new requirements or remove existing ones.

Key Points of PCI v4.0.1

• Stakeholder Engagement: The PCI SSC Board of Advisors, the Global Executive Assessor Roundtable, and Principal Participating Organizations through a Technology Guidance Group reviewed the changes. This feedback process occurred during a Request for Comments (RFC) period from December 2023 to January 2024.
• Feedback Summary: A summary of the RFC feedback is available to participants through the PCI SSC portal.
• Clarifications and Corrections: The update includes corrections to formatting and typographical errors and clarifies the intent and focus of certain requirements and guidance.
• Detailed Changes: For a comprehensive list of changes, refer to the "Summary of Changes from PCI DSS v4.0 to v4.0.1" in the PCI SSC Document Library.

What Contact Centers Need to Know

With PCI DSS v4.0.1, contact centers should be aware of updates and incorporate them into their compliance strategies. Here’s what you need to focus on:

• Timeline Updates: PCI DSS v4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC. BPOs and contact centers must continue to work towards implementing future-dated requirements as soon as possible to avoid last-minute issues come March 2025.
• Proactive Implementation: While PCI DSS v4.0.1 doesn't introduce new requirements, it does clarify existing ones. Reviewing these clarifications is essential to ensure your compliance efforts are aligned with the updated standards.

Focus on Requirement 8 and MFA

PCI v4.0.1 provides clarifications and guidance in five areas within Requirement 8:

1. 8.3.9: Clarifies that this requirement does not apply to in-scope system components where MFA is used.
2. 8.4.1: Moves from Applicability Note to Good Practice, indicating that MFA is a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
3. 8.4.2: Clarifies that the requirement is for all “non-console” access into the CDE, with an Applicability Note that this does not apply to user accounts authenticated with phishing-resistant authentication factors.
4. 8.4.3: Clarifies that this requirement applies to “remote access” and moves details about types of remote access included to an Applicability Note. Adds “third parties” to the testing procedure.
5. 8.5.1: Adds a definition for a replay attack and examples of methods to protect against such attacks.

Stay Informed

Organizations should regularly check the PCI SSC Document Library to stay updated with any further revisions or guidance to maintain compliance. Contact centers can better navigate the transition to PCI v4.0.1 by staying proactive and informed about these changes.

For the most up-to-date information on PCI and its impact on contact centers, subscribe to the Twosense blog and follow us on LinkedIn. Our expert insights and updates will keep you informed and ahead of the curve!