Two years is a loooong time.
Think about all the things that can happen over the course of that time frame – world-changing pandemics; economic roller coasters, with mountainous peaks and rock-bottom lows; political and social upheaval and restructuring. And, oh yeah, it will take 2 years until we have officially transitioned into PCI-DSS version 4.0.
If your job has anything to do with Compliance (which, since you’re here, we’ll assume it does), PCI-DSS has likely been on your mind for some time. Finally, after months of deliberation, the highly anticipated version, PCI v4.0, was released on March 31st, 2022. This new version will eventually replace the current version, v3.2.1, which was established in May 2018.
And while there’s a good deal of trepidation around version v4.0, companies have the next 2 years to align with the new requirements. Yes, PCI v4.0 is coming, but it's not here, not just yet anyway. But to help you get ready, we’ll take a look at some of the points you’ll need to be aware of before 2024 rolls around.
Initially established in 2006 by Amex, Visa, Discover, Mastercard, and JBC International – collectively referred to as the PCI Security Standards Council – PCI-DSS as a regulation set out to secure credit and debit cards from certain types of fraud and data theft. PCI-DSS ensures all entities accepting, processing, storing, and/or transmitting credit card data have the ability to maintain that data in a fully secured Cardholder Data Environment (CDE). Ensuring that the CDE is fully protected and secured is a critical step in preventing malicious actors from accessing credit card data.
Not all companies have the same requirements under PCI-DSS. Some companies are considered Level One Merchants – i.e., a company that processes over 6 million transactions per year, and therefore they must undergo an external audit performed by a QSA (Qualified Security Assessor). But all companies processing credit card data need to adhere to some level of compliance with PCI, based on the number of credit card transactions being processed per year. Instead of undergoing audits with a QSA, merchants in Levels 2-4 need to complete a self-assessment questionnaire. Level 2 companies also need to complete a Report on Compliance (RoC) to make sure their Point of Sales (POS) is compliant. Any organization found to be in violation will be subject to hefty fines and penalties. This is true currently and will not change in v4.0.
Compliance with PCI is based on meeting a highly technical checklist, and in the past this was considered by Compliance folks to be a relatively straightforward undertaking. So what’s the big deal about this new update? Well, nothing much, really. The checklist-based structure is here to stay, but it is becoming more flexible in nature, to reflect the increasingly flexible nature of cloud-based environments today. What this means in practicality is that while there are still 12 requirements to be met, they can now be customized, enabling businesses to modify their implementation to optimally meet their needs.
It will also address cloud and serverless, areas that were not really relevant when the last update was introduced but are critical for today’s IT environment needs. Version 4.0 will include updated requirements for keeping these environments secured. It will also require increased authentication requirements and will require greater encryption of data.
According to PCI-DSS PCI DSS, “Key high-level goals for PCI DSS v4.0 are:
You can find a detailed explanation of all the changes here.
If you checked out the link above and are thinking that there’s no way for organizations to get up to speed, remember that these new requirements are not applicable until 2024 so panicking should NOT be on the table. According to PCI, the previous version 3.2.1 will remain active the next 2 years so you've got more than enough time to prepare. Moreover, this new version was created with industry feedback in mind – so it should be a pretty accurate reflection of the needs of many companies.
And while change is always hard, in this case it’s really to the benefit of the merchants, as this new version will go a long way to better protect their customers’ credit and debit card data. So here’s a thought; yes, there are two years until meeting this new version is required. But, since PCI v4.0 is all about doing more to support organizations’ evolving needs, and safeguarding payments from end to end, perhaps now is as good a time as any to start looking at ways to improve immediately.