Blog PCI DSS v4.0: What Companies Need to Know to Prepare for the New Standards
By Scott Sweren / 15 Nov 2022
By Scott Sweren / 15 Nov 2022
In a recent LinkedIn Live, my colleague Bob Skinner and I discussed how organizations can prepare for the new PCI DSS v4.0 standards, which you can watch here.
As credit card use and subsequent fraud attempts increased in 2004, the major credit card brands came together to form the Payment Card Industry Security Standards Council (PCI SSC). The first standard to be developed was the PCI Data Security Standard (or PCI DSS for short), and over the years it has evolved with the changing technology and threat landscape. Most recently, the upcoming v4.0 standards — which are set to be implemented in April 2024 — have been crafted to address the latest types of breaches and to bolster protection where gaps have been identified. Most importantly, the standards set by the PCI DSS can be seen as the minimum companies must meet to ensure they are protecting cardholder data, and additional measures can be put in place to go above and beyond their requirements.
In the years since the creation of the PCI DSS, most iterations of the requirements have been prescriptive. In the development of the newest requirements, the PCI SSC considered feedback about how the restrictive standards made compliance difficult for some companies. Fortunately for PCI DSS v4.0, a more customized approach option is being put in place to allow companies with specialized technology or unique environments to tailor controls to meet their needs without sacrificing security or compliance. Additionally, this tailored approach can be done on an individual control (or requirement) basis — preventing an all-or-nothing approach that could create unnecessary headaches for organizations trying to meet standards.
As organizations prepare for PCI DSS v4.0, they may be wondering what investments need to be made in hardware, software and licensing, as well as the human and financial resources that should be planned. Some of the changes that many organizations will need to consider are outlined below:
These PCI DSS v4.0 requirements are aspects of security that can be a mindset shift away from checkboxes and toward active compliance management . The changes are moving toward an expectation that PCI DSS compliance is business as usual, or just how business operations are conducted. Outside of the listed requirements, organizations still need to prepare for overarching challenges that new compliance can bring.
The two biggest challenges organizations will face with PCI DSS v4.0 are risk management and planning. A significant change is moving away from an enterprise risk assessment approach and requiring a targeted risk assessment for many of the control areas. This change goes from a broad assessment to drilling down on specific control areas with the need to use mature risk management skills. This means that companies need to be thinking about maturing their risk management processes now so they aren’t behind when the rollout arrives in 2024.
Additionally, organizations shouldn’t underestimate the time and effort it could take them to reach compliance. If companies start now, there will be enough time to conduct a gap analysis, as well as two budget cycles to plan investments before April 2024. PCI DSS v4.0 is heavily focused on documentation and responsibility: Organizations are not only documenting processes but also who is responsible for each control. It is best practice to ensure there is knowledge transfer to prepare for employees leaving or retiring, and continuous documentation management to ensure responsible parties are updated.
While PCI DSS v4.0 may seem like an overwhelming undertaking, organizations that are starting to think about these changes are putting themselves in a strong market position. Planning and documenting are the biggest takeaways to setting yourself up for success. Organizations that give themselves the maximum amount of time to handle any gaps they identify will be happy they started early when 2024 rolls around.