- This plug-and-play projector made my movie nights cinematic (and it's on sale)
- Samsung likely won't unveil a Galaxy Ring 2 today - but you can look forward to this instead
- 7 rules to follow before installing a home security camera - and where you should never put one
- You can control your Chromebook with just a glance now
- Is classic Outlook crashing when you start or reply to an email? A fix is on the way
Preparing for the PCI 4.0 Implementation in the Retail environment
On March 31, 2025 the new PCI 4.0 requirements go into effect. These requirements were future dated to enable organizations the ability to prepare for the adoption.
Since the PCI 2.0 retail design guide was published by Cisco in 2011, there hasn’t been as large an update as PCI 4.0. This update has a number of changes and as such, has been phased in over 2 phases, starting in 2024. Overall, the tenets of the existing Cisco 2.0 retail design guide are consistent, with a strengthening of requirements and addition of newer technologies. Thus we will use this as the existing 2.0 framework as a baseline for discussing new requirements in PCI 4.0. For a comprehensive overview of the requirements of the PCI DSS as well as tools to meet them, this blog provides a bit more depth.
What is new in PCI 4.0?
New Security requirements
The need for ubiquitous multi factor authentication is a large change. There is also a pervasive strengthening of authentication and password requirements, and new E-Commerce and phishing requirements are added into the PCI guidance.
While not exhaustive, below are some new requirements added to the PCI DSS 4.0.0 and 4.0.1.
- New requirements for hashing PAN and usage on electronic media, as well as copy protection for remote access technologies
- New requirements on certificate usage for PAN transmission to not allow expired or revoked certificates.
- New requirements on malware and phishing
- New requirements for e commerce websites and public facing web applications
- New requirements for account review of user accounts, and the use of MFA for All access into the CDE
- New requirements on management of systems accounts and encoding of passwords
- New requirements for audit tools for automated log reviews
New policies and processes
Security requires technical controls, policy controls, and people. At every domain there is now a policy requirement and clearly defined roles to ensure all aspects of the control are able to be met, with clear ownership. This is a larger change overall to PCI and helps ensure internal governance of all aspects of the PCI Compliance.
Increased flexibility with the Customized approach
Technology has changed dramatically since the PCI standard was first released. With adoption of more modern private and public cloud technologies, to include event driven architectures, and container technologies, the standards need to be flexible to adapt to new capabilities. Thus there is a flexibility to ensure if a compensating control can adequately achieve a security objective, there is now a customized approach, , which can allow firms to innovate while still being compliant.
This is a pretty large change from prior PCI standards. The customized option allows for retailers to investigate newer technologies that may not have the same form and function of control that traditional technologies have used. This is important when evaluating event driven application architectures, AI tools, and modern cloud native technologies, as it allows some flexibility to adopt modern technologies as customized controls. This topic is broad and outside the scope of this blog, but can be found in the PCI standard or a summary is in the Quick Reference Guide for PCI DSS 4.0.
Additional details on requirements as well as how to meet security controls that can be used to help meet these requirements can be found here.
Derivative Changes
The requirement for wireless security has not changed. One unique aspect about wireless in PCI that is different from other technologies, is certain requirements (1.3.3, 9.2.3) apply to all wireless networks, even outside of the cardholder data environment. These won’t just apply to the store environments where wireless attached card readers are present. The wireless network is the public facing network with the largest attack surface in the retailers environment.
What is changing with regards to wireless, is the standards themselves. while PCI wireless supplication guidance from 2011 years ago notes WPA2 and later should be used, WPA3 was released in 2019 and WPA4 is on the horizon. In 2024, NIST published a transition guideline for post quantum crypto protocols, and the deprecation of these protocols by 2030. This implies that within the coming years, retailers will be faced with upgrading their wireless networks to maintain PCI compliance with newer WPA technologies. This is specifically to meet PCI requirement 4.2.1.2, for all wireless environments which support transmission of cardholder data, that they “use industry best practices to implement strong cryptography for authentication and transmission”. As the industry best practice evolves, so must the retail environment.
Please reach out to your account team with questions or demonstrations on how Cisco technology is helping our largest retailers address these new requirements.
Share:
