PCI DSS Version 4.0 – Are you ready?

In March 2022, the Payment Card Industry (PCI) Security Standards Council (SSC) released the PCI Data Security Standards (DSS) version 4.0. With this release comes some major changes to compliance requirements, as well as some additional flexibility in options for performing assessments. The primary concern for most organizations will be understanding the new and evolving requirements associated with version 4.0 and ensuring there are no gaps in compliance when switching over from v3.2.1 by the required date (for your first assessment after March 31, 2024).

While these updated standards aren’t required by law, they are required by the credit card industry, so there’s a lot at stake here. Failing to comply could lead to fines, and if you have a data breach and are found noncompliant, you could lose the ability to accept credit card payments and face potentially massive lawsuits. Wondering what your organization needs to do right now to prepare for the transition to PCI version 4.0? Here’s what we recommend.

If you have a data breach and are found noncompliant, you could lose the ability to accept credit card payments and face potentially massive lawsuits.

1. Perform a control gap analysis

The first thing your organization should focus on is the new requirements of version 4.0 and compare that to where you stand now. There are a grand total of 53 new requirements applicable to all organizations and an additional 11 applicable for services providers. Of these 64 requirements, there are two groupings of effective dates that should drive your actions.

New requirements for March 2024

Thirteen new requirements will go into effect immediately for all v4.0 assessments (i.e., assessments dated after March 31, 2024). The majority of these March 2024 requirements relate to ensuring roles and responsibilities for the 12 major PCI requirements are documented, assigned, and understood. This could be a good opportunity to review and update your policies to fulfill this while also preparing to add new content as applicable for the future dated requirements.

The majority of these March 2024 requirements relate to ensuring roles and responsibilities for the 12 major PCI requirements are documented, assigned, and understood.

New requirements for March 2025

A total of 51 new requirements will be considered best practice until March 31, 2025, at which point they become required. These include majorly enhanced security protocols — everything from multifactor authentication for all users in the Cardholder Data Environment (CDE) to increased password length and automated log review. For a deeper understanding of these changes, the PCI SSC has provided a Summary of Changes on their Document Library. We recommend reviewing each of the new requirements and identifying your controls and associated artifacts you’ll plan to provide to your assessor at your next assessment. Where gaps are identified, be sure to initiate remediation plans with a date for your first assessment after March 31, 2025, as the deadline for full operating effectiveness.

2. Convert to the new numbering system

The next item to consider is the overhaul of requirement numbers from v3.2.1 to v4.0. Additionally, there are many instances where verbiage for a requirement has been clarified or entire requirements merged to reduce redundancy. These changes are part of an effort to continually make the PCI DSS more concise and applicable to current technology trends. We recommend spending time mapping your assessment artifacts (such as policies and procedures) from the old numbering scheme to the new numbering scheme. The Summary of Changes document can be a great reference to start your analysis.

This may also be a good opportunity to review your controls in place to meet requirements, especially those that have had clarification made by the council. Keep an eye out for subtle changes to control language and clarifications of general terms. For example, version 4.0 has detailed definition of time periods that were previously ambiguous (e.g., what “quarterly” actually means).

3. Evaluate the use of the customized approach

Another consideration is whether your organization would like to use the customized approach to fulfill your annual assessment requirements — a new feature that some companies will be excited about. This approach isn’t for everyone, but if you have a large company with a mature control environment, or the way your business works doesn’t exactly line up with how PCI requirements are typically met, this could be a great option for you. However, keep in mind that using this method might increase the time required to maintain compliance with PCI as well as the cost of your overall assessment. This is because your organization will need to do a risk analysis for each control using the customized approach and your assessor will need to document a customized validation plan as well.

4. Seek help from a Qualified Security Assessor

If you’d rather not lose the ability to accept credit card payment or find yourself in court for a reputation-destroying security breach, now’s the time to act. If you’re struggling with the onslaught of information and changes related to PCI version 4.0, consider partnering with an expert to help you manage the risk. Seeking help from a Qualified Security Assessor (QSA) is your best bet to ensure you’re effectively converting to PCI version 4.0.