What PCI DSS V4.0 changes impact my environment?

Environment:

PCI pods (Includes US Federal Government pods)

Resolution:

In March of 2022 the PCI Data Security Council released the new PCI Data Security Standard (DSS) V4.0.  As expected from a major revision (from 3.2.1 to 4.0), there are several new and updated requirements.  While the Council allowed for a transition period, where both versions are active, these new requirements have some extra time to phase in.

With Oracle’s overall regard for high security standards, B2C Service had very little to address.  However, some changes highlighted that since B2C Service does not offer a payment processing feature, storing or intentionally collecting personal account numbers (PAN) was not an activity most of our PCI customers were requiring. Therefore, we created a new type of field for specifically capturing PAN.  This feature was released in 22C and will become the sole place a customer can contractually store PAN upon renewal after March 2023.

Information on how to implement this feature can be found in the Overview of Custom Attribute Encryption in the Administering the Agent Browser User Interface guide.

Assistance on finding PAN in your site along with removing or moving this data, can be provided by reaching out to your Technical Account Manager (TAM).