Changes are on their way to the Payment Card Industry (PCI). The latest version of the Data Security Standard – PCI DSS v4 is scheduled for release in Q1-2022. It is a significant call of security compliance from a one-time event to an ongoing improvement process for securing payments. As the final release is near, organizations would want to know the impact of the v4 standard on their current PCI DSS compliance and programs. So, here we try our best to describe how merchants and service providers shall prepare themselves for the standard evolution.
Timeline for PCI DSS V4.0
So, everyone might be apprehensive about the one-year transition time provided with the previous version implementations. But surprisingly, PCI DSS v3.2.1 won’t be retiring any time sooner than Q1 2024. Doesn’t that sound good enough for merchants and service providers? Indeed, you will have plenty of time to transition from PCI DSS v3.2.1 to PCI DSS v4.0.
The specific v4 standard will shoot its presence most likely by March 2022. The public will not know what gets contained in v4 until then. Major Qualified Security Assessors or PCI QSA and Approved Scanning Vendors (ASV’s) will have a look at the preview of v4 sooner. With this, the council will have a chance to review the standard before its actual implementation.
Now, all the information available about v4 will be limited to what the council shares through its various insight modes. Any future requirements of the upcoming standard will not go enforced until Q1 2025. And there are a lot of organizations that are going to push this deadline to the absolute limit.
What do merchants need to know about PCI DSS v4.0?
It might be easy for merchants to consider the transition process from PCI DSS v3.2.1 to v4. This is because of the fact that they have come out a long way adhering to previous standard requirements. Similarly, with the advent of P2PE and E2EE and tokenization solutions, merchants will no longer have Cardholder Data (CHD) or Sensitive Authentication Data (SAD) in their environments. So, the new version of PCI DSS will only have a small impact while considering merchants.
That was the case if the merchants previously opted for PCI DSS compliance services, getting rid of SAD/CHD from their environment. What if the merchant environment still has sensitive and critical information? That is where PCI DSS v4 will hit hard with the assessment requirements. Any previous non-compliance will make your business more wound up by the stringent standard. As a result, merchants will require a transition to P2PE/ E2EE and tokenization within the forthcoming period.
What do service providers need to know about PCI DSS v4.0?
While considering service providers, they are continuously involved in storing, processing, and transmitting cardholder information. Service providers can feel the ease for the initial time as it will have a minimal immediate impact. But, it is the future dated essentials or requirements that will have a tight wrap on you.
The future requirements considering the PCI DSS v4 standard, affect service providers based on their association with cardholder data and environment. Distinctly, recalling those two types of service providers – one that directly involves the handling of SAD/CHD and the other that affects the security of SAD/CHD. Here, service providers influencing the security of SAD/CHD are at a lower risk than the ones directly connected.
Previously, many of the service providers connected to the security of SAD/CHD haven’t assessed their PCI compliance. Also, they get away from delivering Attestation of Compliance (AOC), which is obviously a requirement. The present situation requires every service provider to obtain the AOC and ensure standard compliance. Again, users will now need their vendors to do regular assessments on track without fail. If it’s still on the lame side, they won’t hesitate to change their vendors.
Service providers who directly interact with SAD/CHD will be going through the changing phases of standard. Most of the immediate requirements will be what you are already doing as part of the ongoing compliance activities. The council has only changed the frequency at which you do it. And the future dated requirements will carry enough time for implementation, which is a good sign for you.
Areas that might get coaxed with PCI DSS v4
Much more solid security requirements
The requirements are always going to rise with changes in the payment industry. There would be increased security regulations, and enterprises might require to build and improve their security posture compared to what is currently at stake. You will have to plan your IT budgets well ahead as there would be an increased capital need to enhance your enterprise security.
Multi-factor authentication and encryption
Yes, here is where the standard expects to fortify its security belt even stronger. For this, there might be a NIST password guidance that checks the password against blacklisted combinations and patterns. Similarly, there will be multi-factor authentication for each associated touchpoint. The new standard will also see a much concrete transaction authorization, such as 3DS protocols or 3D secure. Also, it expects increased encryption standards shielding data thefts and leakage.
Strong protection against malware
The new v4.0 version will have a deeper scope beyond the card environment towards the security requirements of the whole organization. The standard will target the addition of touchpoints and test points connected to data security and payment protection. The main motive is to push enterprises to the intent that PCI DSS is a continuous process and not confined to a single PCI DSS audit. Validation requirements will definitely rise considering the amount of data handled by the organization these days. Hence, the enterprises will require the best hands for PCI compliance services.
PCI DSS in 2022
Avoiding costly data breaches and protecting user data connected to the Payment Card Industry is the prime requirement of PCI DSS. Similarly, the increased risks of both physical and network-based attacks have further fuelled the need. Hence, enterprises must maintain compliance each year with the requirements laid down by the Payment Card Industry. The new PCI DSS v4 will have the latest and enhanced requirements for the security of the card data environment. As of now, we are on the initial clock of review and expect the release of the standard by the first quarter of 2022. Until then, let us stick to the best requirements and compliance needs without any compromises.