PCI DSS v4.0 Now Required for all Assessments

The Payment Card Industry Data Security Standard (PCI DSS) is the gold standard for protecting cardholder data. It ensures organizations that handle credit card information maintain a strong security posture. But just like technology, security standards need to evolve to address new threats, which is why PCI DSS v4.0 is now required for all assessments.

PCI DSS v3.2.1 Officially Retired on March 31, 2024

The v3.2.1 retirement means all PCI DSS assessments must now be conducted against the newer PCI DSS v4.0. This change covers both Reports on Compliance (ROCs) and Self-Assessment Questionnaires (SAQs). Unless your organization obtained payment brand and/or acquirer approval directly, then you need to complete your next assessment this year on PCI DSS v4.0.

Why the Upgrade?

The PCI Security Standards Council (PCI SSC) introduced version 4.0 to address the growing threat landscape and enhance overall security in the realm of cardholder data security.

Let’s break down the key goals:

1. Continue to meet the security needs of the payments industry.  Threats are constantly changing, so security practices must too!
   • Examples: Expanded multi-factor authentication requirements, updated password standards, and new e-commerce/phishing protection address current threats.
2. Promote security as a continuous process. It’s not just about passing an assessment, it’s an ongoing effort.
   • Examples: Clearly assigning responsibilities for each requirement, and detailed guidance to help organizations understand the ‘how’ and ‘why’ of security.
3. Increase flexibility for organizations using different methods to achieve security objectives. This supports innovation!
   • Examples: Allowing group/shared accounts, targeted risk analyses to customize the frequency of security tasks, and the new ‘Customized approach’ for organizations with innovative security methods.
4. Enhance validation methods and procedures. Clearer validation and reporting boost transparency.
   • Examples: Better alignment between Reports on Compliance/Self-Assessment Questionnaires and the Attestation of Compliance.

Additionally, v4.0 places a greater emphasis on the following cybersecurity and compliance concepts:

• Defense-in-Depth: A layered security approach that creates multiple hurdles for attackers.
• Threat Detection and Response: Proactive measures to identify and stop security incidents.
• Software Development Security (SecDevOps): Integrating security throughout the software development lifecycle.

Helpful Resources

If you haven’t already, it’s time to transition to PCI DSS v4.0. Here are some resources to help:

• PCI SSC Website: The PCI SSC website offers a wealth of information on v4.0, including the updated standard itself, transition guides, and assessor training materials.
• 10 Steps for Preparing for PCI DSS v4.0
• Eight Steps to PCI DSS v4.0 from the PCI Council: This blog post from the PCI SSC outlines a clear path for organizations to take to achieve compliance with v4.0.
• Listen to these podcasts focused on the transition to PCI DSS 4.0 and the major changes in PCI DSS 4.0.

Additionally, we produced a webinar specifically for those organizations moving to PCI DSS v4.0. Watch the recording here.

By transitioning to PCI DSS v4.0, you’re demonstrating your commitment to protecting cardholder data and mitigating security risks. Don’t delay, take advantage of the resources available and start your journey to compliance today. Remember, a secure payments environment benefits both your organization and your customers.

Don’t wait, get compliant with PCI DSS v4.0 today. CompliancePoint can help you out. Reach out to us at connect@compliancepoint.com to learn more about our PCI services.