How Federal and State Government Agencies Can Prepare for New PCI DSS Compliance

Public-sector agencies that process credit and debit card transactions must abide by the Payment Card Industry Data Security Standards (PCI DSS) framework and maintain PCI DSS compliance. However, a new version of those regulations, PCI DSS v4.0, is set to take effect in 2024. These new regulations require agencies to adapt to updated and additional PCI DSS compliance requirements. This is the most significant update to the PCI DSS since its initial release in 2004.

What are the new requirements that will impact how government agencies collect and process credit and debit card transactions?

And what can public-sector organizations begin doing to maintain compliance with PCI DSS v4.0?

What Is PCI DSS?

The PCI DSS framework contains a catalog of baseline security requirements to help to develop and maintain a secure environment to protect payment card account data against unauthorized access and compromise.

Any organization — including businesses and public-sector agencies — that accepts credit or debit card payments from companies such as Mastercard and Visa should comply with PCI DSS requirements. Failure to meet PCI DSS compliance rules can trigger significant fines, and it can eventually result in card processors choosing to block noncompliant organizations from accepting card payments altogether.

PCI DSS v4.0 Is the Latest Set of Requirements for the Public Sector

The release of PCI DSS v4.0 is the most substantial update to the PCI Standard in 19 years — since the release of DSS 1.0 in 2004. At first glance, organizations will notice several significant changes introduced by PCI DSS v4.0. While v4.0 doesn’t alter the fundamental structure of the PCI Standard, and PCI DSS v4.0 still has the familiar Control Objectives and 12 Key Requirements introduced in 2006, the new version enacts multiple changes to reflect the aims of evolving objectives and requirements.

The PCI DSS v4.0 was released in 2022 and will take effect in March 2024, with some requirements not mandated until March 2025.

PCI DSS v4.0 includes dozens of new or updated security requirements that did not exist in earlier releases of the standard.

Ten Significant PCI DSS v4.0 Requirement Changes

• Disk- or partition-level encryption is no longer enough
• Anti-phishing solution is required
• A web application firewall (WAF) is required
• Multifactor authentication (MFA) requirements updated
• A cryptographic key is required for stored hash values
• Certificates protecting cardholder data (CHD) must be signed by a valid certificate authority (CA)
• Enforcement of integrity controls for payment page scripts is required
• Hardcoded passwords for applications are not permitted
• Authenticated vulnerability scans are required
• Application/system account passwords must expire

Here are some of the changes most likely to impact public-sector organizations.

Anti-phishing rules

PCI DSS v4.0 Requirement 5.4.1 mandates that organizations take steps to mitigate the risk of phishing.¹ Phishing attacks — in which threat actors impersonate legitimate personnel in a bid to trick employees into handing over sensitive information — present a particular risk for public-sector agencies because the names and contact information of public organization employees are often readily available through websites or public databases. This makes it particularly easy for attackers to identify employees that they can attempt to impersonate and then target as part of a phishing campaign.

In response to this risk, implementing both training and tools can help public-sector agencies meet the new anti-phishing requirements of PCI DSS v4.0. Public agencies should ensure that they train their personnel to recognize and resist phishing attacks. In addition, installing anti-phishing tools within IT systems can help to mitigate phishing risks by detecting suspicious communications sent to public employees via email, text or other systems.

Patch management

According to Requirement 6.3.2, which takes effect in March 2025, organizations must "maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management."² Here again, this requirement is likely to pose a special challenge for government agencies, which, according to the website Government Technology, have historically struggled to maintain vigorous patch management programs and keep software up to date. Agencies will likely need a more systematic approach to patch management. They may need to implement new tools and processes to ensure they know the hardware and software assets they have, when patches are available for their software and how they can quickly apply patches to minimize the risk of vulnerabilities that attackers could exploit.

Web application security

Another new rule that goes into effect in March 2025 — Requirement 6.4.2 — mandates that organizations deploy cybersecurity software that "continually detects and prevents web-based attacks" against web applications.³ Some public-sector agencies may already have this type of solution in place to protect their websites. Those that do not may need to build stronger defenses in order to comply with PCI DSS v4.0. This requires them to first understand the multiple causes of security breaches against web applications — which include malicious hacks, malware, social engineering and other types of risks. Once the causes are understood, these agencies must then implement tools that can keep their applications safe — such as performing web application vulnerability scanning, web application firewalls, SQL injection attack scanners and cyber risk monitoring.

Stronger network security

In addition to enhancing application security, the new PCI DSS requirements include updated network security rules. Keeping certificates up to date has long been a network security best practice, but public-sector agencies sometimes struggle to manage their certificates systematically and update them continuously. Going forward, it will be essential to correct certificate management weaknesses in order to maintain PCI DSS compliance. According to Requirement 4.2.1, all organizations must maintain up-to-date digital certificates to help authenticate secure devices that connect to their networks and that secure CHD in transit.⁴

How to Get Ready for PCI DSS v4.0

Here are some helpful steps to get started:

1. Complete a Verizon PCI DSS compliance assessment. This assessment identifies potential weaknesses in your security strategy and compliance initiatives. Furthermore, Verizon has long-standing relationships with leading payment card brands, which provide a strong understanding of their compliance expectations. Compliance assessments are much more than just a checklist of requirements to be met. As an expert in PCI standards, learn how Verizon can help you achieve and maintain PCI compliance and improve your risk profile.
2. Read the Verizon 2022 Payment Security Report (PSR). The 2022 PSR is about preparing to successfully negotiate PCI DSS v4.0, finding the tools you’ll need to identify and solve potential challenges, and choosing the best path forward to determine and accomplish your goals.

This edition of the PSR explores a toolbox of management methods, models and frameworks to help your organization simplify the complexities of payment security while adapting to the new PCI DSS requirements. This special set of management tools is designed to harness the combined capabilities within public-sector agencies and establish better management of PCI security programs by helping plan, design, navigate, fix and maybe even rescue your agency on its journey through changing waters.

With less than a year before PCI DSS v4.0 takes effect, now is the time for the public sector to begin preparing for compliance.

The author of this content is a paid contributor for Verizon.

¹ PCI DSS, Summary of Changes from PCI DSS Version 3.2.1 to 4.0, page 11.

² Ibid, page 29.

³ Ibid, page 12.

⁴ Ibid, page 29.