With the release of PCI DSS 4.0, all businesses that use customers’ payment card information will have to transition to the new framework. Here’s everything you need to know about the revised framework and how to plan for the transition.
Many of us work better with a deadline. So here’s what the timeline for PCI DSS 4.0 adoption looks like.
March 2022 - PCI DSS 4.0 was released.
March 2022 to March 2024 - Transition time for businesses to move from PCI DSS v3.2.1 to v4.0. During this time, PCI DSS v3.2.1 will also remain active.
31 March 2025 - The final deadline for compliance with the new framework. All future-dated new requirements become effective from this date.
*Please note that all the above dates are based on current projections and are subject to change.
The existing PCI DSS standard (Read more: All about PCI compliance and reporting) is relatively mature. So then, why was there a need to introduce significant changes with a new version? The four reasons for this change are:
The 12 PCI DSS requirements will continue to be the core foundation of the framework. However, there is a shift in the requirements to consider a broader perspective of security that moves towards a ‘zero trust’ philosophy. As a result, there have been some changes in the requirements and the framework's documentation. You can access the complete requirements here. Below is a summary of the significant changes in the new version of PCI DSS.
The new framework offers more flexibility to businesses while ensuring that the focus remains on better security. So, companies can choose which controls to implement from the set of prescribed controls, or they can customise the controls. The only thing you need to ensure compliance is to effectively prove that the controls implemented are in line with the intent to meet the security standards.
There is a stronger emphasis on tighter authentication standards, which means more structured guidelines for password policies and more robust authentication for payments and access. PCI DSS, with Mastercard, Visa, and Europay, has also implemented 3DS Core Security Standard for authorising financial transactions. In addition, businesses can now also build their authentication standards to meet regulatory requirements.
The new version has strengthened security standards by restructuring the requirements. The idea is to provide more safety to customer data when it is stored and transmitted by the business. Senior management needs to consider the changes so that the budgets and resources are allocated towards meeting the requirements.
One of the biggest threats to the payment industry is network infiltration by hackers. The new version of PCI DSS includes guidelines and best practices for protecting network transmissions. PCI DSS 4.0 gives insights on encryption to provide better information security over the networks.
With increased technology adoption, businesses are creating pluggable options for their information systems. These solutions help companies deploy faster. The new version of PCI DSS considers this shift and includes the relevant requirements in the framework so businesses can take care of compliance.
The Designated Entities Supplemental Validation (DESV) requirements were a part of PCI DSS. They were mandatory only for companies with security compromised at some point. However, the new version may take DESV requirements more seriously.
In light of the new changes, companies must start preparing to comply with PCI DSS 4.0. While the compliance mandate is still a good two years away, it’s never too early to begin preparing for the change. Below are some steps to help you start your PCI DSS v4.0 journey.
Having a dedicated team for identifying and implementing the new requirements is a good idea. Once implemented, PCI DSS 4.0 will further enhance cardholder data security from a range of existing and emerging threats.
The 6clicks platform provides an automated solution to comply with the PCI DSS standard. To know more, visit our PCI DSS compliance page.