Mike Killinger, GRC Solutions ConsultantBy Mike Killinger, GRC Solutions Consultant

As the world of digital payments evolves rapidly, staying ahead in terms of security standards is paramount for any business handling cardholder data. The introduction of PCI DSS 4.0 brings significant updates and enhancements aimed at strengthening payment security and overall cybersecurity in an increasingly complex cyber landscape.

In this blog, we’ll dive deep into what these changes mean for your business, how they differ from the previous version 3.2.1, and most importantly, provide you with a step-by-step strategy to ensure a smooth and successful transition to PCI DSS 4.0. Whether you’re a small retailer or a large financial institution, understanding and preparing for these updates is crucial in maintaining compliance, securing customer data, and fostering trust in your payment systems through adequate security controls. Let’s get started on this journey towards a more secure and compliant future in the world of payments.

What’s new in PCI DSS 4.0?

PCI DSS 4.0, Payment Card Industry Data Security Standard, introduces several significant changes to address current technologies and threats and conduct risk analysis:

  1. Revised Authentication Requirements: There’s an expansion in the use of Multi-Factor Authentication (MFA) and an increase in the minimum password length to 12 characters.
  2. Extended Scope: The scope now includes network security concerns such as mobile, Internet of Things (IoT), and cloud environments.
  3. Addressing Modern Threats: New requirements specifically target phishing, social engineering, and evolving attacks against e-commerce payment applications.
  4. Customized Approach Option: Businesses can now develop a customized approach to meet standard requirements, beneficial for large enterprises using new technologies not covered by the traditional method.
  5. Emphasis on Roles, Responsibilities, and Documentation: Enhanced reporting requirements and more emphasis on documentation from service providers than in the previous standard.

What will be the PCI DSS 4.0 transition timeline?

The transition to PCI DSS 4.0 involves several key phases:

 Stakeholder Preview (Q1 2022): A preview was provided to stakeholders to prepare and give feedback.

 Official Release (Q2 2022): The official release of PCI DSS v4.0, accompanied by validation documents.

Training and Support (Q3-Q4 2022): Rollout of ISA/QSA training and supporting documents.

Transition Period Begins (2023): A period for businesses to adapt to and test the new requirements.

Phase-Out of PCI DSS v3.2.1 (31 March 2024): All validations must adhere to the new version 4.0 requirements from this date.

Future-Dated New Requirements Effective (31 March 2025): A year-long period before the future-dated new requirements, designated as “best practices” until this date, become effective​.

Implementation Deadlines

First Deadline (31 March 2024): 13 of the 63 new requirements, generally requiring low effort, must be met.

 Second Deadline (31 March 2025): The remaining 50 requirements, with some considered high effort and possibly requiring up to a year to implement, become enforceable​.

This transition timeline and the phased introduction of new requirements aim to give businesses sufficient time to adapt and ensure compliance with the evolving standards.

What does PCI DSS 4.0 mean for you?

The introduction of PCI DSS 4.0 represents a significant shift in the standards governing payment card security. For most organizations, adapting to this new version will likely uncover some gaps in their current compliance programs. These gaps need to be addressed promptly to ensure continued adherence to the PCI DSS requirements. While the PCI Security Standards Council provides a transition period to migrate from version 3.2.1 to 4.0, it’s essential to approach this change proactively.

Our role in this transition is to assist in streamlining and simplifying the process for your organization. We understand that adapting to new standards can be challenging, and our goal is to make this transition as seamless as possible. We offer comprehensive support to identify the areas in your compliance framework that require updates, provide guidance on implementing the new requirements of PCI DSS 4.0, and ensure that your payment security measures are not only compliant but also robust and future-proof.

With PCI DSS 4.0, the focus is on enhancing security measures and adapting to the evolving threats in the digital payment landscape. By partnering with us, you can be assured of a smooth transition to these new standards, ensuring that your business continues to protect cardholder data effectively and maintain the trust of your customers and stakeholders.

What are the requirements for PCI DSS Level 4?

PCI DSS Level 4 applies to merchants who process a smaller volume of credit card transactions annually. The exact number of transactions that categorize a merchant as Level 4 may vary depending on the card brand (Visa, MasterCard, American Express, Discover, JCB). Generally, Level 4 merchants are those who process fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year.

The requirements for PCI DSS Level 4 are similar to those for other levels, but the assessment and validation process can be less rigorous, reflecting the lower risk associated with smaller transaction volumes. Key requirements include:

  1.     Adhering to the PCI DSS Standards: Level 4 merchants must comply with all the requirements of the PCI DSS, which includes implementing security measures like maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
  2.     Self-Assessment Questionnaire (SAQ): Most Level 4 merchants are eligible to complete a Self-Assessment Questionnaire (SAQ) to validate compliance. The specific SAQ form depends on how the merchant processes card data. For example, merchants who process transactions entirely through third-party vendors may have different requirements than those who process transactions in-house.
  3.     Quarterly Network Scans: If applicable, Level 4 merchants may be required to have quarterly external vulnerability scans performed by an Approved Scanning Vendor (ASV).
  4.     Annual Attestation of Compliance: Merchants need to submit an attestation of compliance (AOC) annually, usually along with their completed SAQ, to their acquiring bank or card brands they do business with.
  5.     Incident Response Plan: Having a plan in place for responding to a security incident is also a key requirement. This plan should include steps for containment, eradication, and recovery in the event of a data breach.

It’s important for Level 4 merchants to understand that even though they process fewer transactions, they are still at risk for data breaches and must take PCI DSS compliance seriously to protect their customers’ cardholder data and their own business reputation.

Identifying Gaps in PCI DSS Compliance Program

If you currently have PCI DSS 3.2.1 loaded as a program in your Reciprocity ® ZenGRC ® instance, we can work with you to load a new PCI DSS 4.0 program (when released, of course) and map the controls, thus easily identifying where you may have control gaps.

Addressing Gaps in PCI DSS Compliance Program

After we identify the gaps, we can work together to create an audit and develop a plan to remediate any issues which were identified by the audit.

1) If you are ready to begin a new complete audit of your in-scope PCI DSS controls we can assist in creating that audit utilizing your new PCI DSS 4.0 program and creating a seamless transition to the new release.

2) If you are not ready to create a new audit, we can work with you to build an audit to test the new PCI 4.0 controls and get a jump start on meeting the new PCI 4.0 requirements.

What Can I Do Now to Prepare for a PCI DSS 4.0 Audit?

Keep checking back with us here at Reciprocity as we’ll post more when we know more. If you have questions regarding your PCI DSS program and the migration from PCI DSS 3.2.1 to PCI DSS 4.0, contact us and schedule some time to talk through the process with one of our GRC Experts. You can also keep up to date on PCI information via the PCI web page: https://www.pcisecuritystandards.org/

ZenGRC is Your Solution for Maintaining PCI Compliance

In the intricate landscape of PCI compliance, ZenGRC stands out as an optimal solution for businesses seeking to navigate and maintain these critical standards. Tailored to streamline the compliance process, ZenGRC offers a comprehensive suite of tools that simplify the complexities associated with adhering to PCI DSS requirements. Whether you’re a small retailer or a large-scale e-commerce platform, ZenGRC’s user-friendly dashboard provides a clear overview of your compliance status, highlighting areas that need attention and guiding you through the necessary steps to achieve and maintain compliance. Its automated workflows reduce the manual burden of compliance tasks, ensuring accuracy and efficiency.

With ZenGRC, you can easily manage and track compliance across all levels of PCI DSS, from conducting self-assessment questionnaires to scheduling regular vulnerability scans and maintaining an incident response plan. Furthermore, ZenGRC’s robust reporting capabilities enable you to demonstrate compliance to stakeholders and auditors effortlessly. By choosing ZenGRC, you’re not just adopting a tool; you’re embracing a partner that supports your journey towards a secure, compliant, and trustworthy business environment.

Start Closing Control Gaps, Not Just Finding Them

Get a Demo