Every business that accepts card payments must follow the security guidelines set by the PCI Standards Security Council, an industry group led by card issuer representatives from major markets around the world. The PCI-DSS (Data Security Standard) is designed to protect cardholder data and make payment security more effective and adaptable. Compliance also protects businesses from some liability related to card fraud. The most recent PCI-DSS update, v4.0, was released in early 2022 with a two-year transition period to allow organizations time to learn about and implement the new version of the PCI-DSS standard. In the meantime, companies have been free to continue using v3.2.1 while they get up to speed on v4.0.
However, the end of the two-year window is approaching. In March 2024, v3.2.1 will be retired and organizations must use v4.0 to maintain their security status, liability protection for card payments and their relationships with acquiring banks, which enforce the standard.
PCI compliance is critical for businesses to function, but it’s important to note many will not have the same scope of requirements for PCI compliance. For example, small retailers with few card transactions may have minimal PCI requirements for their own operations if they have a payments vendor that is PCI compliant. Larger retailers may also be able to reduce some of their compliance scope by working with compliant payment vendors. However, businesses that are out of compliance with their scope of PCI requirements can face penalties of up to several thousand dollars per month, plus additional per-customer fines if there’s a data breach, so knowing your brand’s specific requirements and complying with them is important.
Here’s what all organizations that take payments online need to know about what’s different in PCI-DSS 4.0 and how to begin or accelerate their move to v4.0 compliance.
What’s New in PCI-DSS 4.0
The new version makes updates in four key areas related to PCI-DSS goals.
Meet evolving payments industry security needs. Before the 2022 release of v4.0, the PCI-DSS hadn’t been updated for several years. During that time, payments underwent major changes due to the pandemic and rising consumer expectations for convenience. The new standard addresses these changes with new requirements, including:
- Businesses must implement secure multifactor authentication for all accounts that access the cardholder data environment (CDE). Note that this is an internal security requirement, not a customer-facing one. This requirement is evolving and may change after March 2025.
- System passwords must contain at least 12 characters, up from a minimum of seven. As with the MFA requirement, the password requirement applies to employees and service providers who have access to the CDE. Passwords cannot be hard-coded into “files or scripts for any application and system accounts that can be used for interactive login.”
- Employees must be protected against phishing through practices, including security awareness training that covers social engineering and other phishing strategies.
Treat security as a continuous process. Threats are always evolving, and when one strategy fails, criminals will adopt another. Continuous security processes help retailers and banks avoid falling into a reactive posture by keeping pace with and staying ahead of threats. The main new requirement in this area is the clarification of security roles within the business. Roles and responsibilities for compliance with each PCI-DSS requirement must be “documented, assigned, and understood.”
More flexibility in setting security controls. Companies can still follow the processes defined by PCI, but they will have more freedom to customize their controls if they’re willing and able to meet development, monitoring and analysis requirements for their customizations. Those using bespoke and custom software must keep an updated inventory.
Enhanced validation practices. Before v4.0, PCI-DSS expected businesses to scope their level of responsibility every year with a self-assessment questionnaire to determine which PCI requirements they needed to follow. Now, an assessor will need to review those annual scoping results.
All of the changes and clarifications in the latest version and a summary checklist of new requirements are available in the PCI’s Summary of Changes document.
Working Toward PCI-DSS 4.0 Implementation
If you are already compliant with PCI-DSS 3.2.1, you’ll need to make the required changes to meet v4.0 standards by March 2024. If your company is just starting out, you can begin with v4.0 requirements. However, the full requirements document totals 360 pages, which may be more information than a small company or a one-person IT team can effectively process.
To help businesses avoid information overload, PCI has developed what it calls the Prioritized Approach–essentially a list of six milestones organizations should reach to become compliant. The milestones are all based on common sense best practices for security, such as not storing authentication data, limiting the retention of cardholder data, protecting internal systems and data, preparing a breach response plan and continuously monitoring and updating compliance efforts. PCI’s Prioritized Approach document summarizes these milestones and includes a clear checklist of requirements for each milestone, written in clear non-technical language.
As you work through the checklist and identify areas where your business needs to make changes, think about the kind of communication, champions and management that will be required to make those adjustments stick. The PCI-DSS update is a good time to evaluate your company’s security culture and to make updates that strengthen it going forward. Identifying areas for improvement, how to best implement the optimization process and how to effectively communicate any structural or cultural changes to your staff are good exercises for attaining PCI compliance and making your company’s data and systems more secure overall.