The transition period from PCI DSS 3.2.1 to 4.0 is ending soon. Learn when is PCI DSS 4.0 compliance required and how to go through the transition smoothly
If your organization stores, processes, or transmits cardholder data and/or sensitive authentication data, then you need to prepare for the Payment Card Industry Data Security Standard 4.0 (PCI DSS 4.0).
The transition period from PCI DSS 3.2.1 to 4.0 is ending soon. So, when PCI DSS 4.0 is required? PCI DSS 4.0 goes into effect on March 31, 2024, and has 63 new requirements. Some requirements (13) are effective immediately. However, the bulk of the new demands (50) aren’t effective until March 31, 2025, giving businesses a year to implement the more challenging requirements.
What is new in the PCI DSS 4.0, we already described in one of our previous blog posts PCI DSS 4.0 Updates: All you Need to Know. Today, we focus on the transition from PCI DSS 3.2.1 (the old version of the document) to the new 4.0 and learn when PCI DSS 4.0 is required.
Planet 9 has identified the main steps that should be taken by March 2024 to ensure PCI DSS 4.0 compliance.
The initial phase of compliance predominantly entails planning, defining the PCI assessment scope, assigning responsibilities, conducting assessments, identifying gaps, as well as conducting the gaps remediation and a readiness self-assessment. The sooner you understand what PCI DSS 4.0 means for your organization, the earlier you can begin the planning process and prioritize tasks, ensuring a seamless and effective transition.
Note: as your organization starts implementing changes to meet PCI DSS 4.0, don’t neglect any of the security controls from v3.2.1. Continue to maintain and monitor all your existing PCI DSS security controls, even though your focus might be on implementing new requirements for 4.0 For organizations new to PCI DSS, adopting the prescribed approach for 4.0 can be advantageous, as it furnishes precise instructions on achieving security objectives.
When it comes to understanding the changes in PCI DSS 4.0, the best place to start is the PCI DSS v3.2.1 to PCI DSS 4.0 Summary of Changes or our blog article PCI DSS 4.0 Updates. All You Need To Know.
In short, the PCI DSS 4.0 requirements entail
The 13 requirements that must be implemented by March 2024 are concerned with defining the PCI DSS 4.0 scope and assigning roles and responsibilities within and outside the organization rather than the technical requirements mentioned above. All the technical requirements, like MFA, encryption, risk assessments, etc, may wait until March 2025.
Note: In addition to the requirements described in the Summary of Changes, there are many new and expanded guidance within the Standard itself. For instance, such new concepts as Targeted Risk Analyses and Network Security Controls were introduced in PCI DSS 4.0 within the previous risk assessment requirements.
Requirement 12.5.2 of the PCI DSS 4.0 mandates that organizations define their Cardholder Data Environment (CDE) and PCI DSS scope a year before the rest of the new requirements go into effect, or by March 2024.
Once you understand the PCI DSS 4.0 requirements, map them to your current security controls and analyze the impact the changes may have on your organization based on your specific environment, merchant level, payment card processing method, and systems. You may discover that certain 4.0 requirements are already in place, allowing you to allocate your transition efforts more effectively to areas where they are most essential.
An important note for organizations that use Self-Assessment Questionnaires (SAQs): read the PCI DSS 4.0 Standard, as it offers comprehensive guidance for each requirement, and the SAQ documents do not include this level of detail. Additionally, be aware that the SAQs have been updated. This is crucial for self-assessing entities to carefully examine their respective SAQs to fully grasp the extent of the changes.
More about the SAQ along with RoC and AoC read in our blog post RoC, AoC, And Other Elements Of PCI DSS Compliance
Ten of the 13 requirements (2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2 and 11.1.2) that must be met by March 2024 are related to defining the roles and responsibilities concerning the other PCI DSS compliance requirements. For example, you must assign an individual responsible for applying secure configuration to all system components (PCI DSS requirement 2), an individual responsible for protecting stored account data (PCI DSS REquirement 3), and so on.
Another PCI DSS 4.0 requirement that must be implemented by 2024 is 12.9.2 which mandates that third-party service providers (TPSPs) explicitly define the roles and responsibilities related to a client’s Cardholder Data Environment (CDE). This requirement calls for clear delineation between TPSPs and their customer responsibilities.
TPSPs encompass various entities like payment processors, customer support providers, as well as Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
During your shift to PCI DSS 4.0, evaluate which approach to validating the PCI DSS requirements aligns better with your organization’s needs. There are two options: the defined approach and the customized approach. Which one to select depends on your organization’s security strategy and risk management approach.
The defined approach adheres to the conventional method of implementing and validating PCI DSS requirements. It requires utilizing the criteria and assessment procedures outlined in the Standard.
The customized approach enables organizations to create tailored security controls that align with the objective of the requirement. This means that organizations have the flexibility to accomplish the objective in the way that best suits their specific circumstances. The main aim of such an update is to give organizations more flexibility as long as they can demonstrate their custom solution meets the objective of the PCI DSS requirement.
Considering the customized approach? Make sure you thoroughly understand what is required, and verify that your implementation meets all the documentation requirements.
With a deep understanding of your organization’s scope and PCI DSS 4.0 requirements, perform a gap analysis. The gap analysis would help determine the work required to close the differences between your existing compliance status and full alignment with the PCI DSS 4.0 standard. Hence, it will allow you to start addressing any gaps in your security controls, fixing all vulnerabilities that were identified during the gap analysis, and implementing secure business processes.
Early planning is key to being able to address any gaps before a formal validation is required. So, do self-assessments and regular testing to confirm whether your security controls are implemented across all your in-scope systems and areas.
Finally, it’s important to establish open lines of communication with the assessment team prior to the formal validation. This can help ensure that all documentation is ready and that any questions are answered prior to the assessment taking place.
PCI DSS 4.0 is designed to support continuous protection of payment data. The additional flexibility of PCI DSS 4.0 allows organizations to choose security controls most suited to their business and security needs. It is very important to maintain compliance on an ongoing basis. Some organizations choose to forget about their compliance monitoring right after the audit. This approach is wrong in many ways but also creates a pattern where organizations have to scatter for evidence and apply quick fixes right before the next audit. It increases the chances of failing the audit, provides a higher risk of data breaches, and costs organizations more money to maintain compliance.
It is essential to regularly conduct employee training and awareness programs to instill an understanding of the significance of PCI DSS and individual roles in preserving the security of the organization’s payment data. By embedding security practices into everyday business operations and making them a part of the organizational culture, any control failures can be swiftly identified, reported, and rectified.
By emphasizing security as an ongoing process, organizations can enhance confidence in their payment card data protection and diminish the likelihood of security incidents and breaches.
Planet 9 employs seasoned professionals working in various private industries including e-commerce, finance, healthcare, manufacturing and technology, and helping clients become and remain PCI DSS compliant. Depending on the size of the company and the volume of annual credit card transactions, our approach to PCI DSS compliance includes:
To stay updated on the recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!