The Summary of Changes from PCI DSS v3.2.1 to v4.0 is an excellent resource for organizations getting started on their journey toward compliance. Key takeaways include:
- The categories of changes can help you prioritize your PCI DSS implementation
- The summary of new requirements identifies what is mandatory—and by when
- The new requirements list also breaks down which ones apply to your organization
Understand the Overall Scope of Changes to the DSS
Whenever the Payment Card Industry (PCI) Security Standards Council (SSC) publishes a new version of the Data Security Standard (DSS), it also publishes helpful resources alongside it, all of which are available at the SSC Document Library. The Summary of Changes documents explain all the updates in a new edition. As such, the Summary of Changes from PCI DSS v3.2.1 to v4.0 does exactly that, synthesizing and simplifying the most critical information.
The first way organizations can put this document to use is by learning about the essential, high-level changes made throughout the new framework. These begin with the Summary of Changes to PCI DSS Introductory Sections, including big-picture items like the relationship of the DSS to other frameworks, such as the new PCI Software Security Framework (SSF).
Then, there is the Summary of General Changes to PCI DSS Requirements, which documents systematic and recurring edits and repositioning that occur throughout the framework. These may seem minor, but they help IT staff understand where to locate information that has moved from prior editions—like how examples are now in guidance rather than testing procedures.
Assess your PCI compliance
Determine Which Changes Matter Most for Compliance
Next, your organization can use the Summary of Changes document to understand which changes from PCI 3.2.1 to PCI 4.0 will have the biggest impact on your compliance process.
Namely, there are three categories that all changes in the new edition can fall into:
- Evolving requirement – These are changes to the actual required controls and measures assessed for PCI DSS validation. They are the most impactful changes.
- Clarification or guidance – These are updates to the wording and positioning used throughout the DSS framework. They are critical to in-depth employee awareness.
- Structure or format – These are changes to the structure of requirements and other sections of the framework. They primarily impact compliance documentation processes.
In the sections above, along with the section listing Additional Changes per Requirement, every single change is categorized as one of these three types. That section goes into granular detail, breaking down changes in order based on their position in PCI 3.2.1. It provides an explanation of which corresponding requirement(s) and subsection(s) it falls within in PCI 4.0, along with a detailed description of the change itself. After all that, it lists what kind of change it is as well.
Luckily, your organization does not necessarily need to study every single change right away.
While all changes figure to have some impact on your compliance process, the biggest ones to prioritize are evolving requirements. Clarification and structure changes are less time-sensitive.
Visualize New Requirements and When They’re Effective
Another critical part of the Summary of Changes Document is the section titled Summary of New Requirements. It provides exactly what it sounds like it does, with a table breaking down every new requirement that was introduced in PCI DSS v4.0. Critically, it lists the number for each, a description of what is actually required, and when it goes into effect for compliance.
This is because not all of the PCI 4.0 changes are immediately effective.
Upon publication of the PCI DSS 4.0 in March 2022, v3.2.1 was slated to remain in effect until March 31, 2024. At that time, new requirements labeled “immediately for all v4.0 assessments” (13 in total) will be effective. But all of the others (51 in total) will not be required until March 31, 2025. These “future-dated” requirements are considered “best practices” for now, and all PCI-eligible organizations are encouraged to implement them as soon as possible.
Knowing which requirements are going to be mandated and when allows organizations greater flexibility in prioritizing their implementation according to their specific needs and means.
Download Free PCI Compliance Checklist
 |
Identify Which New Controls Apply to Your Organization
Finally, an oft-overlooked element of PCI DSS compliance is the subtle differences between implementation requirements for merchants and service providers. The same section above also breaks down how many of the new requirements are applicable to all PCI-eligible entities (53) and how many apply to service providers only (11). In practice, service providers have an additional 11 requirements that other organizations do not need to cover. Cross-referencing against the timelines above will help you determine the complete scope of your assessment.
It should be noted that the reporting processes may differ depending on your classification, as well. Different Attestation of Compliance (AOC) forms exist for merchants and service providers, respectively. If you’re not certain which category applies to your organization, consider working with a PCI DSS advisor to determine which controls you need and how to report on them.
Prepare for PCI DSS v4.0 Compliance with RSI Security
If your organization is preparing for PCI compliance, you should be open to using all tools at your disposal—especially freely available ones from the SSC itself. Their library contains many useful resources, and the summary and guidance documents are a great place to start.
RSI Security is committed to serving organizations like yours in every step along the PCI DSS compliance journey. We know that the right way is the only way to keep data safe. And we’ll work with you to install controls and instill discipline to unlock greater freedom down the road.
To learn more about the Summary of Changes from PCI DSS v3.2.1 to v4.0, get in touch today!