PCI DSS v4.0 has finally landed and with the new update comes a raft of implications for users. We’ve identified several early observations to focus on when it comes to integrating the new update into your payment systems but don’t worry – you have plenty of time to put your plans into action.
So what are the main changes to focus on in PCI DSS v4.0?
Give Yourself Time
The Payment Card Industry Security Standards Council (PCI SSC) always aim to provide a great deal of detail but it has certainly grown in size for PCI DSS v4.0. You will want to give plenty of time to familiarise yourself with the supplementary information guides that go with the PCI standard as there is more information to digest. On a positive note, this is a welcome move as it means there is now a greater deal of clarity for the wider community.
Key areas of note in the updated standard relate to customised validation, however aim to take your time. The greater context offers much better guidance but some of the newer areas are significant. Luckily the timeline to transition over to PCI DSS v4.0 is mercifully long and v3.2.1 will still be in operation until early 2024 at the latest. Plenty of time to research implementation.
When Should I Transition to PCI DSS v4.0
This is something that needs to be carefully agreed between customer and service provider. Although the transition period is relatively long, switching over too early could create some challenges around how you can be validated by a Qualified Security Assessor (QSA) if you are not covered by your own PCI DSS v3.2.1 assessment.
Meeting the Standard
As mentioned earlier, the standard has been greatly changed so, as a result, PCI SSC is introducing Future Date Requirements. Don’t worry too much about this because as with the transition period, Future Date Requirements will not be active until early 2025. Digest what the new additions to the standard are but you have plenty of time for implementation.
Requirements Have Tightened Up – Although it Might Not Seem Like it at First
It’s worth keeping in mind that whilst there are Future Dated Requirements as part of the new standard, there isn’t a drastic increase in the amount of requirements. However, there is an element of trickery in the way this has been presented. Some requirements remain the same as in PCI DSS v4.0 but have been flattened so the quantity remains, they’ve just been simplified in their actual number despite having more considerations. You will need to be smart here, identify the requirements and then budget wisely for the time required based on the actual work involved and not the number of points listed.
There will also be greater scope for risk management in the compliance programme of PCI DSS v4.0 which is welcome news to many businesses and organisations who felt previous updates were lacking in relation to certain events.
The main takeaway from initial reaction to the new update is that this is a major transition to plan for, and one which will require serious consideration and planning. Now is time for reviewing the standard and building a transition plan. Luckily the timeline for implementation reflects the level of change so although right now it’s business as usual, a two-year switchover plan should be in the pipeline.
Long-term, the transition to PCS DSS 4.0 will no doubt throw up many questions and issues but we will be here to answer any questions and help plan for any challenges the completion dates present.