PCI DSS 4.0 Is Coming. Will You Be Ready?

Since the release of PCI-DSS 3.0 in 2013, the PCI Security Standards Council has been quite busy.  A little over a year after it was published, the council released PCI-DSS 3.1, followed by several new templates and supplements, including the “Migrating from SSL and early TLS Information Supplement” in April 2015 which highlighted the risks of SSL and TLS 1.0.  The supplement described a migration plan as well as set a migration deadline of 1 July, 2016.

That migration deadline caused concern because SSL is so widely utilized in the payments industry. Organizations felt the tight deadline could significantly disrupt business. On the other hand, so can a data breach.  The PCI Security Standards Council took notice and in April 2016, released PCI-DSS 3.2, which extended the migration deadline to 2018.  Version 3.2 also clarified previous requirements and introduced new requirements around Personal Account Numbers (PAN) Masking and Multi-Factor Authentication (MFA).

In 2018 PCI DSS version 3.2.1 replaced version 3.2 to account for effective dates and SSL/early TLS migration deadlines that had passed. No new requirements were added in PCI DSS 3.2.1.

If you’ve been following the standards over the last year, you may already know that PCI DSS 4.0 is right around the corner, due out in mid-to-late 2021.

PCI DSS 4.0 Revisions and Requirements

Version 4.0 is still going through review, but based on the current draft version, here are the anticipated  top 7 items:

  1. Revisions to best practices for passwords and MFA.
    • MFA may be required for ALL accounts, not just administrators.
    • Passwords for applications and systems must be changed every 12 months
    • Increased complexity in passwords/pass phrases – including comparison against a list of known bad passwords.
    • Vendor accounts only active when needed, and monitored when in use.
  2.  Encryption requirements expanded to all cardholder data, as well as scanning and detecting PANs every 12 months.
  3. Version 4.0 may be the customized approach that would allow organizations to design their own controls and implement them based on the intent of the requirements. This would allow companies more flexibility to adopt new technologies and security solutions and not have to wait for the standard to catch up.
  4. More details around testing requirements.  DESV (Designated Entities Supplemental Validation) requirements may be required for all entities, not just compromised entities.
  5. Possible enhancements to requirements for end user security awareness training.
  6. The requirement for monitoring updated to include tech advancements such as cloud environments.
  7. Malicious code is one of the biggest problems that financial institutions face. The new version of PCI DSS 4.0 specifically addresses this issue, with best practices and insight on how to fully protect network transmissions.


Password compromise is still the top attack vector and MFA is considered by most security and compliance experts as the best tool for preventing an unauthorized intrusion. MFA offers the best bang for the buck. Every entry point from mobile devices to PCs to web sites to servers either require MFA or will require it very soon.  The Reason:  Higher reliability of correctly authenticating access requests. Identity thieves may steal passwords or even fingerprints, but it’s less likely that they can steal 2 or more factors. Even better are factors which are single-use and /or valid for very short durations.

If you’re not already using multi-factor authentication in your HPE NonStop environment, XYPRO can help configure XYGATE User Authentication, to allow you to comply with these new and more stringent PCI DSS 4.0 requirements.

XYPRO is continuously dedicating extensive time and resources to evaluate how PCI DSS 4.0 affects the HPE NonStop Server ecosystem and its customers. These requirements will take effect soon. XYPRO recommends taking action to become compliant with the new standard before the mandatory deadline dates. This will ensure your organization has enough time for testing and deploying to production.

Please visit our website www.xypro.com for more information.

Steve Tcherchian, CISSP
Chief Product Officer and CISO
XYPRO Technology

Carol Gorst, PhD.
Manager. Business Analysis
XYPRO Technology