The PCI Data Security Standard (PCI-DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data and information.

Recently, the PCI Security Standards Council (PCI-SSC) announced changes coming to the Data Security Standard. It includes vital information every ISV, VAR, and business accepting credit cards should be aware of in order to remain compliant and avoid compliance fees.  

The beginning stages of v4.0 started in 2017 with changes to v3.2.1. These changes were adopted in the latest version of PCI-DSS and initiated in Q1 of 2020 during the global pandemic. The switch from v3.2.1 to v4.0 happened in a time of uncertainty. With the completion of v4.0, supporting documents (linked below), programs, and updates to training material were completed and rolled out in Q4 of last year (2021). 

The development of PCI-DSS v4.0 was driven by industry feedback and furthers the protection of payment data with new controls and flexibility for the merchant. As the payment card industry evolves, so does the technology and attacks against it. Version 4.0 allows the PCI-SSC to adopt a system of being ahead of the curve and create avenues to help businesses upgrade from v3.2.1. 

The 4 Main Changes for PCI-DSS v4.0

1. Increased requirements for Yearly Diligence for Merchants and Service Providers

• • • Every 12 months and upon a significant change, businesses must document and confirm the PCI DSS.
    • For any merchant that uses the customized approach (info found here), a target risk analysis must be performed and approved by senior management
    • An annual review of hardware and software must be completed with a plan to remediate outdated technologies

2. New Customized Approach (info found here)

• • • This customized approach still retains the requirement to evaluate risk, but it allows for a more strategic pathway for businesses with robust security processes and strong risk management practices 

3. Expanded Risk Analysis Guidance

• • • PCI DSS 4.0 has also provided expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, significantly used as part of the compensating control worksheet. In this new version, there is a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). The template provides more information on how the PCI-SSC expects a risk analysis to be carried out. 

4. Clarifications to “Significant Change” Standard 

• • • PCI DSS v4.0 has also provided clarity for some of the key concepts of PCI-DSS, especially what signifies a “significant change”. While the description is more complex in v4.0 than it has been in the past, older versions were not specifically defined. V4.0 offers clarity and examples of the term “significant changes” and processes to stay compliant during changes. 

Projected PCI v4.0 Implementation Timeline

PCI DSS v3.2.1 will remain active for two years after v4.0 is published. However, it is never too early for ISVs, VARs, and merchants to become familiar with the latest version and build a plan for implementing changes as needed.

PCI DSS v4.0 provides clarity on common issues related to PCI DSS and offers significant levels of flexibility for the merchant who has their own security standards in place. As changes are announced, BOLD will continue to update this article with the latest information provided by the PCI-SSC.

Sources:
https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0
https://listings.pcisecuritystandards.org/documents/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf
https://www.mwe.com/insights/pci-dss-4-0-introduces-transformational-change/

Looking to learn how to get started on PCI-DSS v4.0?

Fill out the information below and a BOLD representative will contact you shortly.