On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) provided version 4.0 of the PCI DSS. The PCI DSS is a global standard that sets up technical and operational standards for safeguarding consumer credit card account data. Here is a brief update of the new version, what to expect, and key dates to plan for the transition.
WHAT IS NEW IN PCI DSS V4.0?
PCI DSS v4.0 takes the place of PCI DSS v3.2.1 to address advancing technologies and evolving threats. An example is that the 12 core PCI DSS prerequisites did not change with PCI DSS v4.0, and they continue to be the critical basis for protecting payment card data. Key Priorities for 4.0 were to increase security and flexibility. Overall, there are 64 new requirements. Of those 64,
- 53 apply to all entities
- 11 new requirements are for Service Providers only
- 13 will be required immediately for any v4.0 assessments
- 51 are future dated best practices until March 2025
WHY THE NEW DEVELOPMENT?
The PCI SSC states the goals of Payment Card Industry Security Standards Council v4.0:
- Continually meet the security needs of the payment industry
- Add flexibility and support of supplementary methodologies to attain security
- Promote security as an ongoing and evolving process
- Enhance validation procedures and methods
WHAT ARE THE KEY DATES WE SHOULD KNOW?
- PCI DSS v4.0 Release: March 31, 2022
- PCI DSS v4.0 Training – QSA and SAQ release: End of Q2 2022
- PCI DSS v3.2.1 Expires: March 2024
- PCI DSS v4.0 Best Practices become Full Requirements: March 2025
When it comes to transformation to the new version, PCI DSS v3.2.1 will continue to be active for two years after v4.0, says PCI SSC. This transition period, which ends on March 31, 2024, allows organizations to acquaint themselves with the changes, refurbish their reporting templates and forms, and strategy for and carry out changes to meet updated prerequisites. At that time, PCI DSS v3.2.1 will become obsolete, and v4.0 will become the only version of the standard.
Because of the intricacy of the new requirements and the time needed to execute structural changes, companies should start to address and internally validate controls in advance of an evaluation by their qualified security assessor (QSA). As a best practice, organizations should engage a full team to assess the impact of the new standard to the business. This would include executives, legal counsel, IT, and all who manage credit card data in the company in order to get a full perspective of risks and exposure as well as encouraging open communication throughout the process.
The risen focus on risk evaluations in PCI DSS v4.0 means that bodies report more information about their security strategies to a QSA than under version 3.2.1. Thus, risk assessments and documentation on safeguards will be key under v4.0.
Review your existing PCI compliance and risk profile to best prepare for your PCI DSS v4.0 transition.