PCI DSS Version 3.2.1 is scheduled to retire on the 31st of March 2024, with Version 4.0 set to take its place.
If your PCI compliance date falls after 1st April 2024, then you will need to complete an assessment against version 4.0 of the standard. Full adherence with the standard is expected by 31 March 2025.
Failure to do so could result in potential penalties, fines, or disruption to card transactions. Non-compliance also poses risks of data breaches, which can have serious consequences for your business reputation and customer trust.
It’s important to note that achieving certification for Version 4.0 will require more effort and time compared to previous versions. It’s not a simple repeat of last year’s process; there are new requirements and complexities to navigate. If your organisation is due to recertify soon, you’ll need to start looking at the process now.
New PCI Version 4.0 Requirements
We have some new requirements to deal with, as this standard takes a slightly different approach as many are marked as “Best Practise until 31st March 2025”. In previous versions, these were described as “Future dated” but due to the nature of this wording, these were often left until the last minute, (or later), to implement.
Version 4.0 places a greater emphasis on security and risk management, requiring organisations to implement more robust security measures. This may include stricter controls around authentication, encryption, and monitoring, which could pose challenges for organisations in terms of implementation and ongoing maintenance.
The importance of third-party security receives more focus too and v4.0 introduces new requirements for assessing and managing the security of third-party service providers. Organisations must ensure that third-party vendors comply with PCI DSS requirements and adequately protect cardholder data. This may involve conducting more thorough assessments, implementing stricter contractual obligations, and enhancing oversight of third-party relationships.
Version 4.0 Challenges
There are some new technical challenges in store too, with a requirement to implement means to monitor all scripts that are running on ecommerce websites. An inventory of scripts must be maintained, with a justification statement completed for each one. The scripts must be authorised, and the integrity of the script must be maintained too. This will pose a challenge to some, but it goes a long way towards helping to address a known security flaw.
One of the other significant changes is to ensure that for every policy or procedure in place, the roles and responsibilities for managing the items covered are clear. In fact, this requirement crops up in every section of the new standard.
There are too many individual changes to call out here, but the PCI Council have put together a useful guide, which can be downloaded for free here:
While transitions can be daunting, please know that the team at 3B Data Security are here to support you every step of the way. Our team of QSAs have been working in the payment card industry for over 25 years and can help ensure your PCI transition is hassle-free.
