PCI DSS v4.0 is coming, here's how to prepare to comply
Organizations need to start laying the groundwork to reap the benefits of the forthcoming PCI DSS v4.0 specification. Creating a team to focus on the upgrade is one good step.
In the first quarter of 2024, PCI DSS v4.0 will go into effect, supplanting the current v3.2.1 PCI standard that has governed credit card transaction security since 2018.
The new version of PCI DSS was released In March 2022. Both versions will coexist until v3.2.1 is officially retired on March 31, 2024, in favor of v4.0. However, credit card companies and vendors that use credit card transactions have until March 2025 to demonstrate compliance with v4.0. This transition period provides the time necessary for organizations to update their systems, policies and procedures to achieve compliance with the updated standard.
What's new in v4.0?
The new PCI standard is expected to include support for the following:
- increased security, encompassing expanded multifactor authentication, updates to password specifications, updated requirements to address phishing and other security breach events;
- updated guidance on implementing security controls, procedures for identifying areas for improvement, providing more details for auditors and other program assessors, and updated specifications of roles and responsibilities for each updated requirement;
- support for the various ways organizations implement security, including setting procedures for risk analyses that help improve overall security activities, support for different types of accounts -- e.g., shared, group -- and increased options when evaluating newer and more innovative security processes;
- enhancements to compliance activities, addressing the various activities an organization may perform to demonstrate compliance, such as completing a Report on Compliance, self-assessment questionnaire and/or an attestation of compliance;
- greater focus on cybersecurity activities, including more attention on encryption and network security to protect customer credit card data during transmission; and
- increased frequency of security controls testing, ensuring organizations will establish a program of regular testing of their security controls to verify they are performing in compliance with v4.0 requirements.
The following are the 12 PCI DSS criteria:
- installing and maintaining network security controls;
- applying secure configurations to all system components;
- protecting stored account data;
- encrypting cardholder data;
- protecting systems against malware;
- developing and maintaining security systems and applications;
- restricting access to cardholder data on a need-to-know basis;
- using unique identifiers to all users with network and system access;
- restricting physical access to cardholder data;
- logging and monitoring access to networks and cardholder data;
- regularly testing systems and resources for security; and
- developing, implementing and maintaining information security policies and programs.
Organizations that adhere to the criteria will have an easier time complying with PCI DSS v4.0 requirements.
Who must implement version 4.0?
Any business, merchant or organization that handles cardholder data must comply with PCI DSS requirements. The standard also governs how data is processed by major credit card companies, among them Visa and Mastercard.
The specification divides organizations into the following four categories:
- Level 1. Organizations that annually complete 6 million or more transactions across all transaction categories.
- Level 2. Organizations that annually complete between 1 million and 6 million transactions across all categories.
- Level 3. Organizations that annually process 20,000 to 1 million transactions across all categories.
- Level 4. Organizations that annually process fewer than 20,000 electronic transactions each year and other businesses that each year complete fewer than 1 million transactions across all categories.
How to prepare for v4.0 compliance
Even though PCI DSS v4.0 isn't mandated just yet, now is the time to begin the work needed to demonstrate compliance with the new standard.
Here are 10 steps companies should be taking:
- Review and understand the updated requirements in version 4.0. Identify and understand criteria essential for achieving compliance.
- Compare existing policies, procedures and other security-related activities against the new version's requirements.
- Establish a team whose job is to update security activities, particularly policies, procedures, technologies and staff expertise needed to comply with version 4.0.
- Remove all unnecessary data from affected systems -- especially data considered sensitive -- to prevent damage or theft of the data.
- Ensure relevant systems are secure from unauthorized access by threat actors.
- Examine the network perimeter to identify threats and vulnerabilities that could result in breaches.
- Maintain vigilance over systems through ongoing monitoring and documentation of security activities.
- Review protocols for security levels of cardholder data to ensure its safety and availability.
- Verify all data security activities are regularly tested and updated as needed. Results should be documented and subsequent reports used for proof of performance during audits.
- Regularly brief senior management on work the security team is performing to ensure compliance.
PCI DSS v4.0, once implemented, will further fortify security measures designed to protect cardholder data from a variety of potential risks and threats. Look for more information about the new standard from the payment card industry, as well as from security organizations offering guidance and technologies aimed at supporting the transition to the new standard.