866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Decrypting the New Cryptographic Requirements in PCI DSS v4.0 Blog Feature

By: Schellman

Print/Save as PDF

Decrypting the New Cryptographic Requirements in PCI DSS v4.0

Payment Card Assessments | Crypto and Digital Trust

A fun fact about Egyptian hieroglyphics is that you don’t necessarily read them as we read English—from left to right. They could be written what we consider backward, or even vertically.

Not only that, but hieroglyphic writing doesn't contain punctuation, nor are there spaces between words. If you were to attempt to read some, you’d need a good grasp of ancient Egyptian grammar (and who has that these days?). You’d probably also need to understand at least a little context of the message if you wanted to tell everything apart.

It might feel as complicated to try and understand the new cryptographic requirements in PCI DSS v4.0.

And while we are not at all equipped with the context or grammar to read ancient, pictographic writings, we can offer something similar when it comes to helping you decrypt these changes in the standard.

Just like hieroglyphics, cryptography is complex and often requires more planning than other controls. Schellman has been on top of this latest version of the flagship payment card standard since even before its release, and now we want to share some of our insight on this particular subject with you.

Changes to encryption are not a surprise in the broader context of the new PCI-DSS version. These new control requirements are just meant to further safeguard account data, and in this article, we’ll get more granular as to how they’ll do that.

We’ll highlight several new requirements, evolving requirements (expansion), as well as how to prepare for these changes. Though it will likely take more than just one blog post to ease your anxiety about the transition that lies ahead, after reading you’ll feel that much more comfortable with one of the more complicated components of PCI DSS v4.0.

Understanding the General New Cryptographic Requirements in PCI DSS v4.0

What These Affect: Encryption During Transmission

Overall, the changes expand the scope of protecting cardholder data during transmission of any kind on trusted or untrusted networks.  Of course, strong encryption on untrusted networks is already widely accepted, but you might be wondering what risk there would be for unencrypted cardholder data on a trusted network.

Consider these particular risks and how strong encryption can help:

  • The Threat of Malicious Code Within a Network: An adversary may embed malicious code using many methods in an attempt to capture sensitive data.  If encryption is not implemented during transmission, a malicious actor who succeeds in gaining access to primary or adjacent systems may be able to view, record, and exfiltrate sensitive data. The expanded scope for encryption will help prevent this.

  • Insider Threat: You may have a situation where a trusted party has substantial access to network traffic.  But in some instances of unencrypted data transmission, an attacker may collect and observe cardholder data without activating security controls.  Encryption of cardholder data in transmission reduces this risk.

  • Misconfiguration: Before this new version, weak encryption was allowed—i.e., WEP, TLS 1.1, standalone SSL, etc.—though it left you susceptible to simple downgrade attacks.  A downgrade attack is where a bad actor “convinces” a system to abandon a secure method of communication by using less secure, but still available encryption.  Strong, and only strong encryption prevents the loss of sensitive data by this method, hence this update to PCI DSS v4.0.

Understanding PCI DSS v4.0 Requirement 12.3.3 – New*

What This Affects: Cipher Review

Under this new requirement, you are now obligated to document and review cryptographic cipher suites and protocols at least annually.

Your reviews should include information such as:

  • The categorization of information/information system the cryptographic cipher protects;
  • An assessment of cryptographic cipher effectiveness;
  • A determination if the cipher is necessary for the operational function of information system(s); and
  • Confirmation that information security requirements are being met and integrated into your enterprise architecture and system development life cycle process. They should also align with business and risk strategies as established by senior leadership.

Understanding PCI DSS v4 Requirement 4.2.1.1 – New*

What This Affects: Inventory

Among all the changes, PCI DSS v4.0 also includes requirements to maintain an inventory of trusted keys and certificates. This one in particular ties into strong encryption.

Similar to current requirements regarding change control, keys and certificates will also require documentation and knowledge management. 

Documenting a process for issuing, retaining, and storing cryptographic keys and certificates in a repeatable process may assist with this requirement.

Understanding PCI DSS v4.0 Requirement 3.6.1.1 - New*

What This Affects: Cryptographic Architecture (Service Providers Only)

Service providers must now include a documented description of the cryptographic architecture for production and test environments. 

Why? To prevent the use of duplicate cryptographic keys across environments.

Because test environments are potentially less secure than production, there is greater potential for cryptographic keys to be intercepted and decrypted. This requirement will help curb that.

Understanding PCI DSS v4.0 Requirement 4.2.1 - *Evolved

What This Affects: Primary Account Numbers (PAN)

Certificates used to safeguard PAN during transmission over open, public networks must be confirmed as valid and are not expired or revoked. 

Internally issued certificates will need to be logged as inventory (as we mentioned above under Requirement 4.2.1.1). Internal certificates issued and managed by an internal certificate authority may still be used if managed properly.

How to Prepare for the New Cryptographic Requirements in PCI DSS 4.0

The big question now becomes how to deal properly with all these updates. Here are three tips:

  • Stay Cognizant of the PCI-DSS v4.0 Timeline for Transition. 
    • Encryption methods and requirements may be subject to change, so to boost your adaptability, preparation in the meantime will be key. 
    • Future dated requirements are considered to be a best practice until Q1 2025.
  • Ensure Review of Internal Applications That Rely on Unencrypted or Explicit Encryption.
    • Now under these new requirements, internal applications used to store and transmit sensitive data may require substantial re-development or re-tooling. 
    • Although PCI-DSS v3.2.1 is not expected to be retired until Q1 2024, making changes to internal software/hardware may require considerable time and effort, so starting your review as soon as possible is recommended.
  • Consider the “Bigger Picture.” 
    • It may be that your organization also uses information systems that are incapable of cryptographically secure communication. But these are facing deprecation.  
    • Though those systems may be spared the scrutiny of the above requirements, major organizations are adopting other approaches to ensure they don’t fall victim to any surprises:
      • For example,  Federal (FISMA) compliance, given its underlying system requirements derived from NIST 800-53, is generally proactive in developing security controls and is closely mapped with current PCI-DSS standards. That standard has also now implemented similar cryptographic requirements that may be worth looking into for you. 
    • Whether you opt for FISMA or not, as attackers become more advanced, you must put the tools in place to secure all your systems as you adapt to increasing requirements. If you don’t, you leave the door open to substantial risk.

Moving Forward With PCI DSS v4.0

Comprehension of the entire new PCI DSS standard may feel like looking at hieroglyphics now, but it won’t always. And now you at least understand more about what will be asked of you on the cryptography side, so you’re getting there.

As we all continue to get acquainted with the new version, read our other content on PCI DSS v4.0 for breakdowns of some of the most important updates:

But if you find that you have questions more specific to your organization and the impact of PCI DSS v4.0, please contact our team at pci@schellman.com or through our contact us page. Whether by setting up a call or through an email conversation, we’ll do what we can to set your mind at ease.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.