On March 31, 2022, the Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS v4.0). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback. This latest version is the most significant update to the PCI DSS since its release 18 years ago.
The PCI DSS is a global standard that establishes a baseline of technical and operational standards for protecting account data. PCI DSS applies to any entity involved in credit card processing, including merchants, processors and service providers that store, process, or transmit cardholder data. In short, the Council takes the position that PCI DSS applies to virtually all companies, big and small, that take credit card payments from consumers or help facilitate those transactions.
Much has changed since the preceding version of the standard, v3.2.1,was published back in 2018. Fuelled by the pandemic, online transactions and the use of point-of-sale (PoS) machines have skyrocketed, technology has evolved, and cloud platforms are used extensively for storing cardholder data. Attackers have also advanced their tactics targeting the payments industry.
Why the Update to PCI DSS V4.0?
PCI DSS is designed to ensure that merchants who accept card payments that are operated by VISA, MasterCard, American Express, JCB International, Discover Financial Services, and UnionPay have adequately protected cardholder data. While the 12 core PCI DSS requirements remain fundamentally the same, PCI DSS v4.0 aims to achieve 3 main objectives:
1. Promote Security as a Continuous Process
The biggest change is that security testing has to be a continuous process, rather than a snapshot of an organization’s PCI DSS compliance taken once a year during the annual audit. Documentation tells assessors (QSAs) that they must select samples over a period of time to prove compliance.
2. Enhance Validation Methods and Procedures
The new version of the PCI DSS contains revisions to the authentication requirements to reflect the latest industry best practices for password and multi-factor authentication (MFA). Passwords must be longer and consist of at least 12 characters containing a mixture of numbers and letters. Multi-factor authentication will become mandatory for all accounts that provide access to the card data environment.
3. Add Flexibility and Support of Additional Methodologists to Achieve More Stringent Security Requirements
A significant change in version 4.0 is the ability for organizations to design their own controls and implement them based on the intent of the requirements in lieu of compensating controls. This allows companies more flexibility to adopt new technologies or security solutions to achieve compliance. PCI DSS v4.0 supports the use of different technologies, such as cloud-based hosting services, by introducing more flexible wording around requirements and adding intent statements to address the evolving threats to the payment ecosystem.
Details on updates can be found in the PCI DSS v4.0 Change Summary document on the PCI SSC website.
In addition to the updated PCI DSS standard, supporting documents published in the PCI SSC Document Library include the PCI DSS Summary of Changes v3.2.1 to v4.0, v4.0 Compliance Report (ROC) Template, ROC Compliance Certifications (AOC), and ROC and Frequently Asked Questions.
PCI DSS 4.0 Transition Timeline
Even though PCI DSS 4.0 has been officially published, the older PCI DSS version 3.2.1 will be operational for the next 2 years (March 2022 to March 2024). This transition period aims to help organizations have sufficient time to get used to the new changes in version 4.0, update their reporting templates and forms, and make plans to implement changes to meet the latest standard requirements.
How can I comply with PCI DSS v4.0?
If you are already compliant with PCI DSS v3.2.1, you have until 24 March 2024, or about two years, to be compliant with PCI DSS v4.0.
If you need to be compliant with PCI DSS but have yet to do so, ignore PCI DSS v3.2.1 and jump straight to getting compliant with PCI DSS v4.0
Either way, two years is a really short time so today is a really good time to start updating your compliance or getting certified.
With less than 2 years to upgrade your PCI DSS to comply with version 4.0, every minute you save is a step closer to meeting and even beating the deadline. Arrange for a demo today to see how Ivrnet’s PCI DSS compliant solutions for over-the-phone and online payments can help smooth your PCI DSS v4.0 compliance journey. Significantly reduce the scope required to achieve and maintain PCI Level 1 compliance with Ivrnet’s Telepay.