PCI DSS v4.0 is here to help combat new and evolving security threats to the payment industry. It is the next evolution of a global standard that offers a baseline of technical requirements in order to protect sensitive payment data. With over 6,000 items of feedback provided from 200 companies, the new PCI DSS standards offer a holistic upgrade for real world payment security situations.
What are the Goals of PCI DSS v4.0?
- To evolve to meet the changing needs of the payment industry.
- To establish that payment security is an ever-evolving process.
- To allow for flexibility within different methodologies.
- To enhance validation methods across the payment industry.
What’s New in PCI DSS v4.0?
In order to meet the outlined goals, there are a number of changes being implemented in the latest version of the PCI DSS.
- Security practices must evolve to meet ever-changing threats. Adding additional MFA (Multi-Factor Authentication) requirements, updating password guidelines, and adding additional ecommerce and phishing protections will help the payment industry better adapt to new threats.
- Ongoing security procedures are crucial to ensure that sensitive payment data is protected. Each requirement will have better defined roles and responsibilities associated with it. New guidance will be added to help companies better understand how to implement and maintain security procedures. New reporting templates will offer more transparency to better highlight areas for improvement.
- Allowing flexibility offers service organizations more options to meet objectives and helps promote innovation. For example, organizations will be empowered through the use of targeted risk analyses to better establish frequencies for certain tasks. Group, shared and general accounts will be allowed under the new guidelines in certain situations. New methods for implementing and validating PCI DSS will allow organizations like yours to implement unique methods to ensure compliance with key objectives.
- Defining transparent validation and reporting options helps to support granular security objectives. Better aligning expectations between different PCI DSS audit types such as a Report on Compliance (ROC), a Self-Assessment Questionnaire (SAQ), or an Attestation of Compliance helps to create understandable goals and allows you to better align your compliance initiatives to meet expectations.
These are just some of the changes that will be coming in PCI DSS v4.0. For a comprehensive overview, check out the PCI Security Standards Council’s Official Document Library.
A risk-based annual inspection is utilized on completed engagements, combined with an in-process, “pre-issuance” reviews of partners’ work by our corporate quality control team. You expect the best, so we hold ourselves to the highest standard of reporting, according to industry standards and regulations.
How Quickly Do I Need to Update to PCI DSS v4.0?
Not ready to fully switch to PCI DSS 4.0? Don’t sweat it. Version 3.2.1 will remain operational for 2 more years, with a transition period between March 2022 and March 2024. This will allow organizations to familiarize themselves with the new guidelines, update templates and forms, and implement updates to ensure compliance with the new framework.
Qualified assessors will be able to complete assessments under the PCI DSS v4.0 framework after completing required trainings.
- PCI DSS v3.2.1 will remain active until March 31, 2024 to allow organizations time to familiarize themselves with the new version requirements. Entities can choose to voluntarily validate against PCI DSS v4.0 until that date.
- All PCI DSS assessments completed after March 31, 2024 must be validated against v4.0.
[Image Source: PCI Security Standards Council]
Auditwerx is Here to Help with PCI Compliance
If you’re ready to work with a true PCI compliance partner, you’re in the right place. As a certified QSAC with over 10 years of experience, our dedicated team is best positioned to help you through changes to the PCI DSS and ensure your controls remain in compliance with the new guidelines. Contact a PCI specialist today.