PCI DSS Version 4.0 was released in March 2022, which means the clock has officially started ticking toward the deadline for complying with the new requirements. But what does this mean for your organization? How much time do you have to ensure you’re fully compliant?
This guide will cover what you need to know about the PCI DSS 4.0 timeline.
What Is the PCI DSS 4.0 Timeline?
The official release date of PCI DSS v4.0 draft was March 31, 2022, but the compliance deadline allows for the time needed to make the transition to the new requirements. PCI DSS v3.2.1 will remain active until March 31, 2024, giving organizations two years to learn and implement the new standards. After that date, PCI DSS 4.0 will supersede v3.2.1.
Both versions will be active until that date, and organizations will have an additional year—until March 31, 2025—to verify that they are compliant with PCI DSS 4.0.
What is PCI DSS 4.0?
The Payment Card Industry Data Security Standard (PCI DSS) exists to improve the security of payment card account data, and PCI DSS 4.0 is the latest version of this standard.
PCI DSS 4.0 establishes a baseline standard for technical and operational requirements to keep sensitive account data secure as it is used and transmitted throughout the payment processing ecosystem. It was developed to better address emerging security threats, clarify guidance, and facilitate more customized security solutions.
Who needs to comply?
PCI DSS requirements apply anywhere account data is stored, transmitted, processed, or where the security of the cardholder data environment can be affected.
Account data includes:
- Primary account numbers (PANs)
- Cardholder names
- Card expiration dates
- Service codes
- Magnetic-stripe or chip data
- Card verification codes
- PINs and PIN blocks
RSI Security will advise your organization and identify what updates are needed to ensure your security policy and procedures align with the updated PCI DSS standards.
What Are the PCI Requirements?
PCI DSS 4.0 comprises 12 requirements, organized into six categories:
- Secure networks and systems:
- Implement and maintain network security controls.
- Securely configure all system components.
- Protect sensitive data:
- Secure stored account data.
- Use strong cryptography to protect cardholder data during transmission over public and open networks.
- Have a vulnerability management program:
- Keep systems and networks protected against malware.
- Maintain the security of all developed systems and software.
- Implement access control:
- Follow the “need to know” principle for access to system assets and cardholder data.
- Use proper identification and authentication measures when granting access to system components
- Limit physical access to cardholder data
- Test and monitor networks on an ongoing basis:
- Monitor and log access to cardholder data and system components.
- Perform regular security tests on all systems and networks.
- Establish and follow an information security policy:
- Implement official policies and programs to support security goals within the organization.
Each requirement also comprises several sub-requirements, or cybersecurity controls that organizations must implement to meet the standard. For example, the three access control requirements break down further to include specific password lengths and Multi-factor authentication (MFA), among other controls.
Steps to Take to Become Compliant
So, what steps should your organization take to ensure timely compliance with the new requirements? We recommend the following:
- Review the new standard – Read PCI DSS version 4.0 and gain a thorough understanding of the new requirements. Version 4.0 is designed to support following a defined approach guided by the requirements as written and a customized approach tailored to meeting requirements within the context of an organization’s unique environment.
- Assess current security program – Audit and assess current policies, procedures, and security controls, and evaluate them based on the new requirements. Document all findings to inform the decisions that will be made moving forward.
- Develop a plan – Develop a plan that incorporates the implementation of new measures, personnel training, and assessment procedures that align with the requirements of PCI DSS 4.0. Consider the time that is available and set deadlines for phases throughout the implementation to keep things on track.
- Implement changes – Follow the plan to implement a security program compliant with PCI DSS 4.0.
- Review – Review the success of the implementation by performing follow-up security assessments and audits.
- Verify compliance early – Don’t wait until the deadline to verify compliance with PCI DSS 4.0. Allot plenty of time to get things done ahead of the deadline and get verified before the deadline if possible.
- Get guidance – RSI will ensure your organization doesn’t miss anything during the transition to PCI DSS 4.0, helping you keep both cardholder data and your organization’s systems and networks secure against emerging security threats.
Get Ready for the Switch to PCI DSS 4.0
Version 4.0 of the Payment Card Industry Data Security Standard will help your organization remain better secured against emerging security threats against cardholder data and the organizations that handle it. The deadline will provide plenty of time for learning and transitioning to the new requirements, but it’s critical to develop a plan to keep things on track.
Contact RSI Security today to learn more about the PCI DSS 4.0 timeline and assess your organization’s PCI compliance strategy!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.