ControlCase PCI v4.0.1 Webinar Future Dates Requirements

March 2025 Requirements
PCI DSS v4.0.1
Future-Dated “Best Practices”
November, 2024

2
Agenda
© ControlCase. All Rights Reserved.
 Welcome & About ControlCase
 About the v4.0.1 Update
 About the New Requirements and Timeline
 Get Involved!
PCI DSS v4.0.1 March 2025 Requirements
01
02
03
04
Chad
+
Housekeeping

Presenters:
Sandeep Joshi
VP Business Development
Yew Kuann Cheng
Regional Vice President
PCI Security Standards Council
Chad Leedy
Director, Strategic Accounts
– Retail, ControlCase
Pramod Deshmane
Sr. Vice President Americas
Certification, ControlCase
Chad

About
ControlCase

© ControlCase. All Rights Reserved. 5
ControlCase Overview
Best-in-Class
Compliance
Platform
 ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and
frequently changing IT compliance and regulatory requirements
 Proprietarysoftware, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)
 Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a
single platform.
 One AuditTM enables our clientele to Assess once: Comply to Many
 Leadershippositions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
 Serving over 1,000 customers
 Global footprint with offices in the U.S., LATAM, Europe, Australia, India, Canada, and UAE
 Leverages an offshore delivery infrastructure for competitive advantage
 IT compliance manager for multiple industry segments including banking, service providers, retail,
hospitality, and telecom
Global Vision
& Solutions
Enhancement
Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
Australia, India
250+ employees
Sandeep

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal
resources to focus on
other priorities
Offload much of the
compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS
Sandeep

ControlCase Snapshot – Solution
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB
+ =
IT Certification
Services
Continuous
Compliance
Services
&
Sandeep

Certification Services
One Audit
Assess Once. Comply to Many.
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS-E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
Sandeep

Our Team
© 2023 ControlCase. All Rights Reserved. 9
Headquartered in Fairfax, VA, ControlCase operates in 16 countries to service our global clientele.
Employees:
Full-Time Employees: 379
ControlCase Team Locations:
Australia
Bangladesh
Belgium
Canada
Colombia
Egypt
India
Indonesia
Jordan
Philippines
Saudi Arabia
Senegal
Tunisia
United Kingdom
United States
Vietnam
Languages Spoken:
English is our main delivery language.
Additionally, our team communicates
in Spanish, French, German, Arabic,
Marathi, Hindi, Vietnamese,
Indonesian and more.
Sandeep

About the
v4.0.1 Update

PCI DSS v4.0.1 Implementation Timeline*
2022
Q1 Q2 Q3 Q4
31 March 2024
PCI DSS v3.2.1
retired
31 March 2025
Future-dated new
requirements
become effective
2024 2025
* All dates based on current projections and subject to change
Transition period from PCI DSS v3.2.1 to v4.0
Official Release: PCI
DSS v4.0 with
validation
documents
ISA/QSA
training and
supporting
documents
2023
Transition period from PCI DSS v3.2.1 to v4.0
Implementation of future-dated new requirements
Q1 Q2 Q3 Q4
Q1 Q2 Q3 Q4 Q1 Q2
June 2024
PCI DSS v4.0.1
published
YK

Highlights
PCI DSS v4.0.1
has been
released; v4.0
will be retired on
31 Dec 2024.
There are no new
requirements in
PCI DSS v4.0.1;
review the
Summary of
Changes.
Future dated
requirements will
have to be
adopted from 1
April 2025.
YK

PCI DSS v4.0.1 Revision – Key Updates Summary
• Clarifications and Typos:
• The new release corrected typographical and other
minor errors (including formatting errors, missing
headers, etc.) from PCI DSS v4.0.
• The new release also clarifies the focus and intent of
some of the requirements and guidance.
• Requirement 3
• Clarified Applicability Notes for issuers and companies
that support issuing services.
• Added a Customized Approach Objective and clarified
applicability for organizations using keyed cryptographic
hashes to render Primary Account Numbers (PAN)
unreadable.
• Requirement 6
• Reverted to PCI DSS v3.2.1 language that installing
patches/updates within 30 days applies only for “critical
vulnerabilities.”
• Added Applicability Notes to clarify how the requirement
for managing payment page scripts applies.
Pramod

PCI DSS v4.0.1 Revision – Key Updates Summary
• Requirement 8
• Added an Applicability Note that multi-factor
authentication for all (non-administrative) access into
the CDE does not apply to user accounts that are
only authenticated with phishing-resistant
authentication factors.
• Requirement 12
• Updated Applicability Notes to clarify several points
about relationships between customers and third-
party service providers (TPSPs).
Pramod

PCI DSS Future-Dated
New Requirements

PCI DSS – Key Future-Dated New Requirements
ControlCase. All Rights Reserved. 16
• Encryption of Sensitive Authentication Data (SAD) –
Req 3.2.1 & 3.3.2
• All sensitive authentication data, if store before
authorization, must be stored encrypted using strong
cryptography. This requirement applies to all storage
of SAD, even if no PAN is present in the
environment.
• Disk-level or partition-level encryption only acceptable
for removable media – Req 3.5.1.2
• Disk-level or partition-level encryption can only be
used for removable media (e.g., a USB drive, an
external SSD). Organizations can not use it anymore
on any kind of non-removable media.
• Phishing Attack Protection – Req. 5.4.1
• Organizations are required to implement an
automated phishing protection mechanism to detect
and protect personnel against phishing attacks. This
measure supports the defenses against social
engineering threats, reducing potential vectors for
malware and ransomware attacks.
Pramod

• Automation Technical Solution for Web Applications Security – Req 6.4.2
• Organizations must implement an automated technical solution for public-facing Web applications
that continually detects and prevents web-based attacks, and the manual application review will
no longer be allowed.
• Managing Payment Page Scripts – Req 6.4.3
• Organizations must maintain an inventory of all scripts on their e-commerce payment pages. This
includes ensuring the integrity of each script to prevent unauthorized modifications and verifying
their authorization and execution.
• Expanded Use of Multi-Factor Authentication (MFA) - Req. 8.4.2
• PCI DSS v4.0 expands the requirement for multi-factor authentication (MFA). In earlier versions,
MFA was required only for administrators accessing the cardholder data environment (CDE)
remotely. Now, MFA is required for all access to the CDE, including access by internal users.
• Password Length Requirements – Req 8.3.6
• To strengthen passwords the minimum password length is moved from 7 to 12 alpha and numeric
characters OR a minimum 8 characters, if the system does not support 12 characters.
• Application and System Accounts Management – Req 8.6.1, 8.6.2, 8.6.3
• PCI DSS v4.0 introduced security controls for interactive / non-interactive application & systems
accounts management and secure handling of passwords/passphrases for such accounts.
Pramod

ControlCase. All Rights Reserved. 18
• Automated Log Reviews – Req 10.4.1.1
• Organizations must implement automated mechanisms to perform audit
log reviews and manual reviews are no longer permitted. Organizations
are expected to consider event log analyzers, and security information and
event management (SIEM) solutions to support the automated log review
process.
• Authenticated Vulnerability scanning – Req 11.3.1.2
• Quarterly internal vulnerability scans must be performed via authenticated
scanning for all in-scope systems except for system components that
cannot accept credentials for scanning. Also, the credentials used for
these scans should be considered highly privileged and should be
protected and controlled.
• Detect changes of HTTP headers & Payment Pages – Req 11.6.1
• Organizations must implement change and tamper detection mechanism
for payment pages to protect against the ecommerce skimming attacks.
The control requires alerting unauthorized modification (including
indicators of compromise, changes, additions, and deletions) to the
security-impacting HTTP headers and the script contents of payment
pages
Pramod

• Targeted Risk Analysis - Req. 12.3.1
• PCI DSS v4.0 introduces a focus on targeted risk
analysis for specific security controls. This means
organizations are required to perform a risk analysis
for certain requirements, which allows for flexibility in
how they implement the controls based on their
specific risk environment.
• Semi-annual Scoping Review (For Service Provider
Organizations) – Req 12.5.2.1
• Service providers are now required to perform the
scoping documentation review at least every 6
months and upon significant change to the in-scope
environment.
• Security awareness program annual review to include
new threats and vulnerabilities – Req 12.6.2, 12.6.3.1
• Organizations are required to update their Security
awareness program annually to address any new
threats and vulnerabilities that may impact the
security of their CDE and include topics such as
phishing and related attacks and social engineering
Pramod

ControlCase – PCI DSS
Assessment Options

Option 1 – PCI DSS v4.0.1 New Requirements Assessment
21
• The client environment will be
assessed only for applicable PCI
DSS v4.0.1 future-dated new
requirements.
• For New Requirements
Assessment, ControlCase
Compliance Hub will have a total
of 37 questions which only cover
the future-dated new
requirements.
• The assessment will take only few
weeks to complete the review.
Deliverables
• PCI DSS v4.0.1 New
Requirements Assessment
Report with an update on:
• Status of Future Dated
Controls readiness
• remediation guidance for not-
in-place requirements
Pramod

Option 2 – PCI DSS v4.0.1 Assessment
22
• The client environment will be
assessed against PCI DSS
v4.0.1 for a full GAP or
Certification assessment.
• For PCI v4.0.1 assessment, the
Compliance Hub will have a total
of 100 or 105 questions (based
on the entity type).
Deliverables
• PCI DSS v4.0.1 Full Gap
Assessment Report OR
• PCI DSS v4.0.1 ROC, AOC,
COC
Pramod

Get Involved

Participating Organization Program
Individual
Anyone Can Be a Member
Associate
Expanding
Principal
Influence
LEVELS
YK

2024 Events
North America
10-12 September
Boston, Massachusetts
Europe Asia-Pacific
8 -10 October
Barcelona, Spain
20-21 November
Hanoi, Vietnam
YK

Q&A
Chad

THANK YOU
Contact Info:
Yew Kuann Cheng
ycheng@pcisecuritystandards.org
Pramod Deshmane
pdeshmane@controlcase.com
Chad Leedy
cleedy@controlcase.com
Sandeep Joshi
sajoshi@controlcase.com

ControlCase PCI v4.0.1 Webinar Future Dates Requirements

More Related Content

Similar to ControlCase PCI v4.0.1 Webinar Future Dates Requirements (20)

More from AmyPoblete3 (8)

Recently uploaded (20)

ControlCase PCI v4.0.1 Webinar Future Dates Requirements