What Colocation Providers Need to Know About PCI DSS v4.0

Since the sunsetting of PCI DSS v3.2.1 on March 31, 2024, PCI DSS v4.0 has become effective, as have some of its new requirements (though future-dated requirements will be effective March 31, 2025). While v4.0 has introduced some major changes in various areas, for service providers—including some that include additional nuance for colocation providers in particular—multiple new requirements are now effective as well as some that are future-dated.

As experienced PCI Qualified Security Assessors, we’ve gone over and disseminated this new standard with a fine-tooth comb in our preparation to help organizations comply. Just as we’ve done for service providers, banks, and payment facilitators, we’re now going to help spotlight areas of note for colocation providers.

In this blog post, we’ll walk through new requirements that colocation providers must prepare to be assessed against (among others).

10 New Requirements in PCI DSS v4.0 That Colocation Providers Need to Know

There are ten new requirements that colocation providers will need to prepare to be assessed against in v4.0 of the standard. Most of them are noted as “Future-Dated,” which means you have some time to prepare ahead of their effective date (March 31, 2025). However, those not noted as such are effective right now.

1. PCI DSS v4.0 Requirement 9.1.2
(Roles and Responsibilities)

What It Says: Colocation service providers—along with all assessed entities, service providers, and merchants—must document the responsibilities for all activities noted within Requirement 9.

While you can choose to incorporate this documentation into existing policy and procedures or create a separate new file, a responsible, accountable, consulted, and informed (RACI) matrix would meet this requirement, or you could go with something simpler like a table that includes:

• The name/role/title;
• Responsibility; and
• Related requirement/sub-requirement number.

2. PCI DSS v4.0 Requirement 12.3.1
(Future-Dated Risk Analysis)

What It Says: A targeted risk analysis (TRA) must be performed and documented for each PCI DSS requirement that provides flexibility for how frequently it is performed.

In PCI DSS v4.0, the risk assessment requirements have dramatically changed—and this new concept of a required targeted risk analysis (TRA) focuses on the assets, threats, and factors that impact the likelihood of an attack as related to certain requirements. The resulting analysis can then be used to define how frequently you will perform the requirement (e.g., annually, semi-annually, quarterly, etc.).

(TRAs must be reviewed at least once every 12 months and updated as needed.)

3. PCI DSS v4.0 Requirement 12.3.2
(Risk Analysis)

What It Says: A targeted risk analysis must be performed for each PCI DSS requirement that the entity meets with the customized approach.

Rather than requiring organizations to stick to defined control processes, PCI DSS v4.0 now allows you to customize your approach to controls—as long as you still meet the customized approach security objective of the requirement.

But for each requirement that you choose to meet with a customized approach, you must perform a TRA annually that documents each element included in Appendix D (Customer Approach), including:

• A controls matrix; and
• Approval of the documented evidence by senior management.

4. PCI DSS v4.0 Requirement 12.5.2
(Scope Review)

What It Says: Your PCI DSS scope must be formally reviewed and documented at least once every 12 months and upon significant change to the in-scope environment.

While scope validation has always been an expected component of maintaining PCI DSS compliance, this new requirement mandates the scope review be formally documented and performed at least annually, and the list of elements you’ll need to include in the review is given in the requirement.

However, for colocation providers who limit their scope to the physical security controls within requirements 9 and 10 together with the related policy and procedure controls within requirement 12, here’s what you need to know:

• Your scope review should focus on reviewing and confirming the facilities and systems relevant to physical security within the scope of your assessment.
• If you exclude one or more locations from your scope, you must document which locations are included in and excluded from your PCI scope.
• Any significant change to the organization must also trigger a required scope review where you will formally document the significant change to your in-scope environment.
  • For a colocation provider, a significant change could include:
    • Adding or removing facilities to the scope of the assessment;
    • Major renovations to an existing facility; or
    • Engagement of a third-party service provider that will be responsible for meeting PCI DSS requirements.

5. PCI DSS v4.0 Requirement 12.5.2.1
(Future-Dated Scope Review)

What It Says: PCI DSS scope must be formally reviewed and documented at least once every six (6) months and upon significant change to the in-scope environment.

While colocation providers only must perform these scope reviews annually for now, soon you—and all PCI DSS service providers—will be required to perform a scope review EVERY SIX (6) MONTHS instead (as well as upon any significant change to the in-scope environment).

6. PCI DSS v4.0 Requirement 12.5.3
(Future-Dated Scope Impact Review)

What It Says: Significant changes to organizational structure must result in a documented (internal) review of the impact on PCI DSS scope and applicable controls, with results communicated to executive management.

As noted in the guidance provided by the PCI SSC, your organizational structure and management will define the requirements and protocols for implementing effective and secure controls and operations, but should you introduce any significant changes to them—changes that have the potential to disrupt the effective operation of your implemented PCI DSS controls—you’ll need to assess that potential impact.

Though you will determine and define what constitutes a significant change to your organization, examples that should trigger a scope impact review could include:

• Mergers or acquisitions; or
• Changes in the assignments of personnel responsible for maintaining PCI DSS compliance activities.

Any issues identified during the review must be addressed, and the results communicated to executive management.

7. PCI DSS v4.0 Requirement 12.6.2
(Future-Dated Training Updates)

What It Says: Security awareness training must be reviewed at least once every 12 months and updated as needed to address new threats and vulnerabilities.

While this requirement speaks for itself, make sure to also document evidence of each review.

8. PCI DSS v4.0 Requirement 12.6.3.1
(Future-Dated Training Content)

What It Says: Security awareness training must address threats and vulnerabilities to the in-scope environment including phishing and related social engineering attacks.

Per this requirement, you’ll be mandated to educate your people so that they’re able to detect attacks targeting them before security is impacted. Training should include:

• How to identify various types of social engineering attacks;
• How to react to them; and
• How to report them to personnel responsible for mitigation activities.

(You may also want to consider conducting periodic phishing e-mail campaigns to test your employees on their training).

9. PCI DSS v4.0 Requirement 12.6.3.2
(Future-Dated Training Content)

What It Says: Security awareness training must include awareness about the acceptable use of end-user technologies.

Along with social engineering, you’ll also need to ensure your security awareness training addresses the acceptable use of end-user technologies allowed as well as their impact on the security of your organization’s PCI DSS scope.

10. PCI DSS v4.0 Requirement 12.10.4.1
(Future-Dated Training Frequency)

What It Says: The frequency of periodic training for incident response personnel is defined by the entity’s targeted risk analysis.

Though training personnel responsible for incident response activities is not a new requirement in the PCI DSS, you’ll now determine the frequency of such training with a targeted risk analysis in accordance with requirement 12.3.1.

Next Steps for Your PCI DSS v4.0 Compliance

PCI DSS v4.0 has introduced plenty of changes for different kinds of organizations in the payment card industry—colocation included. That being said, it’s important to note that the requirements we discussed here apply to colocation providers who limit their scope to the physical security controls within requirements 9 and 10 and the related policy and procedure controls within requirement 12.

For colocation providers whose scope goes beyond requirements 9, 10, and 12—for example, and includes testing of the operating systems for servers that host their physical access control systems—there will be additional new requirements you should prepare for that we did not discuss.

Still, all colocation providers must be prepared to meet everything mentioned here to maintain compliance, and we recommend addressing these new requirements sooner rather so that you have sufficient time to implement any new processes you may need.

Should you have any further questions about these new requirements and your compliance, feel free to contact us to discuss them. You can also check out our extensive content library breaking down different aspects of PCI DSS v4.0, which may contain the information you need.