PCI DSS 4.0 | Deadline March 2025 The road to payment HSM migration

6 Feb

Explore seamless migration strategies and effective management practices in achieving the latest PCI DSS 4.0 standards for payment HSM.

Let’s dive in.

In today's world, keeping payment data safe is more crucial than ever. The way we protect payments is always changing, and Payment Card Industry Data Security Standard version 4.0 (known as PCI DSS 4.0) is leading the charge.

In essence, 4.0 is about making sure every single transaction is safe.

If you are new to PCI compliance for hardware security modules, The Payment Card Industry Security Standards Council has set the standard to meet by March 2025. We expect this is comfortable to achievable if you have a plan, and the right partners & stakeholder management in place. That is, comfortable for those who are planning 18-12 months out.

The shift from V3.2.1 to V4.0

"Encryption standards are rising, and data security threats are growing. The move from PCI DSS version 3 to version 4 is a crucial response to strengthen, protect, and defend payments using improved protocols.” says Terry Warren, CEO of A24.

A24 recently achieved PCI DSS 4.0 compliance for its Hardware Security Module as a Service (HSMaaS) offering, and is proudly the first global provider for the payments industry to achieve this benchmark standard for our clients. Read more on the blog

PCI DSS version 4 is here because cyber threats are continuing to grow and evolve in frequency, vector and complexity requiring stronger protection. An approach of minimising risk and impact through prioritising cybersecurity efforts and continuous improvement will keep you heading in the right direction.

The new PCI DSS version allows businesses to be more flexible in how they protect their data. The main focus is, staying secure all the time.

Approach your compliance with ease and confidence. Avoid common pitfalls with these strategies:

Gathering enough evidence: It can be challenging to know what evidence is needed. A clear plan can make this easier. Seeking advice from those who have gone before is a sure way to learn from their experience. Time spent upfront scoping will save you any unnecessary resource burnout or diversions.

Getting the right advice: It's important to get advice that really fits your business needs. Look for trusted experts that can assist you get straight to the point, and help you identify your scope.
Data sharing and redaction: Sharing customer data safely means securely protecting what you share and how. This is an important step in reaching compliance. We often come across the question of ‘how much is too much to share?’
Deciphering true requirements: It's best to involve your compliance, privacy and assurance teams as well as your tech team early to figure out exactly what you need to do. Make sure you are leaning into your internal team’s expertise early on for both knowledge sharing and stakeholder management.
Keeping documentation current: Keep your documentation and records up-to-date to show you have demonstrated procedures, as well as assured governance. Ensure you have systems and process around these to ensure business-as-usual (BAU) doesn’t surpass compliance as a way of doing business.

HSM compliance changes of note in PCI DSS 4.0

PCI DSS version 4.0 brings significant improvements, especially in how we secure the systems and networks that process our payments, and brings up-to-date HSM services.

Areas of note include:

Key loading devices & HSM remote administration platform requirements
Device management Information submitted by vendors
Cloud-based HSM as a Service
Multi-tenant usage security requirements

Achieve compliance within 12 Months

There are no shortcuts to compliance, however with a considered approach this is achievable, and may even help set your internal blueprint for a straightforward approach and confidently achieve (or maintain) your compliance. You can always seek assistance from external parties with complementary specialist skills for on-going HSM and compliance management.

To simplify the PCI compliance task, consider breaking it down into 5 core areas: People, Process, Partners, Technology, and General

1.For People:

Identify which people in your organisation are in scope of the PCI assessment.
Show that you have security awareness programs in place for your staff.
Ensure that people with access to the environment are secured, and are using secure access mechanisms.

2. For Process:

Prove that your processes are up-to-date with evidence from logs, ticketing systems, etc.
Demonstrate your policies, procedures and guidelines are in place.
Provide documentation exists for the in-scope environment. For Partners:

Work with your PCI Qualified Security Assessor (QSA) to agree on scope early on.
Leverage your vendor partners who supply your equipment to provide evidence of logs, and best practice hardening of equipment.

3. For Technology:

Have up-to-date documentation in place for the systems and network in scope e.g. hardening guides for your systems, configurations & vulnerabilities are managed.
Show that systems and networks are built to industry good practices.

4. For Partners:

Work with your PCI Qualified Security Assessor (QSA) to agree on scope early on.
Leverage your vendor partners who supply your equipment to provide evidence of logs, and best practice hardening of equipment.

5. For General:

PCI-DSS itself is a "bottom-up" compliance program i.e. it needs actual evidence in the different area to demonstrate compliance.
There are multiple core aspects that must be covered – systems, network, access, data protection, applications and integrations – and these vary according to your organisations scope.

Working with cardholder Data? What to consider?

Apply secure configurations to all system components
Protect stored account data
Protect cardholder data with strong cryptography during transmission over open, public networks
Develop and maintain secure systems and software
Restrict access to system components and cardholder data by business need to know
Identify users and authenticate access to system components
Restrict physical access to cardholder data
Log and monitor all access to system components and cardholder data
Support information security with organizational policies and programs

Making every single transaction safe by exploring the relationship between BYOE and Hardware Security Module, one example to consider is shown below in this diagram:

Handy advice from those who set the standards

Some handy pieces of advice we’d like to from the PCI Securities Standards Resources:

Continue to maintain and monitor all your existing PCI DSS security controls, even though your focus might be on implementing new requirements for version 4.0.  
If your organization is new to PCI DSS, consider using the defined approach for version 4.0 as it provides specific directions on how to meet security objectives. 
Once you understand the version 4.0 requirements, map them against your current security controls and analyze the impact the changes may have on your organization. You might find that you already meet some of the v4.0 requirements, so you can prioritize your transition efforts where they are most needed.
When transitioning to PCI DSS v4.0, consider which validation approach is right for your organization. There are two options: the defined approach and the customized approach. Ultimately, selecting the right validation approach will depend on your organization’s security strategy and approach to risk management
Document everything. Establish policies and procedures to support ongoing and consistent implementation of security controls. There are also some new documentation requirements in PCI DSS v4.0 that you might need to address. 
Use technologies and solutions that have been tested and validated by the PCI Security Standards Council (PCI SSC) against security standards for the protection of payment data
It is essential to educate and train your staff about their role in keeping your data secure and meeting PCI DSS. Identify any skills gaps and train your teams in any new technologies you are implementing.
PCI DSS v4.0 is designed to support long-term, continuous processes to protect payment data. The additional flexibility provided in PCI DSS v4.0 allows organizations to choose security controls most suited to their business and security needs. Organizations focused on maintaining PCI DSS security controls year-round can more readily avoid recurring cycles of short-term compliance followed by security lapses and short-term remediation each time they have an assessment.

Taking on PCI DSS 4.0 can feel like a big task, but you're not in it alone. A24 is here to help every step of the way. We've got the experience and the know-how. We're here to make sure your payment systems and data are well-protected.

We're extremely delighted to have met the latest PCI DSS standards, underlining our unwavering commitment to fortifying our clients’ and their clients' data security, especially in today's increasingly challenging digital landscape. Moving from PCI DSS version 3.2.1 to version 4 is a big step up in making sure your data is secure." says Terry Warren, CEO of A24.

When it comes to understanding the changes in PCI DSS v4.0, the best place to start is by reading the PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes. Located in the PCI SSC Document Library, this document provides a valuable summary and descriptions of the changes between PCI DSS v3.2.1 and v4.0. It also includes a Summary of New Requirements table that lists all the new requirements along with their applicability and effective dates.

Let’s Connect

The A24 team is ready to confidentially discuss your projects and digital transformation journey. With white papers and extensive business experience, our leadership team are ready to provide support and expert guidance for any project you undertake. To learn more about our executives visit our Teams page. Otherwise, please leave a note below, and we'll get back to you promptly.