PCI DSS version 4.0 has arrived – why your organisation should beat the clock and transition now

There’s a brand new version of PCI DSS (Payment Card Industry Data Security Standard), released in March 2022 and bringing the standard to version 4.0. The latest version may or may not be on your radar, however, if you are a merchant or a service provider who handles payments and cardholder data, you need to begin planning your transition.

Though organisations can already attest to PCI DSS version 4.0, most will likely continue to maintain compliance to the previous version (3.2.1) until they are compelled to transition. This is tempting, given that version 3.2.1 will only be retired on 31 March 2024 and that organisations will have another year from then (until 31 March 2025) before they must implement new requirements
identified as best practices in version 4.0.

However, while avoiding having to spend the time implementing a new set of requirements might seem like a good idea, there are a number of reasons why organisations would be wise to get ahead of the curve and implement version 4.0 as soon as possible.

What’s new in PCI DSS version 4.0?

The new version of the standard makes a few key updates that those subject to PCI DSS would benefit from familiarising themselves with. In summary, these changes cover:

• Increased security requirements, for example encompassing expanded multifactor authentication;
• Updated guidance on implementing security controls and procedures for identifying areas for improvement.
• Support for the various ways organisations implement security, including setting procedures for risk analysis;
• Enhancements to how organisations can demonstrate compliance;
• A greater focus on cybersecurity activities, including more attention on encryption and network security; and,
• Increased frequency of security controls testing.

These changes will certainly require some effort from organisations to ensure they meet the new requirements. However, any short-term pain that comes with transitioning to version 4.0, will certainly be outweighed by the benefits of moving early.

Suggested reading: The Interserve data breach: Not detecting an incident does not mean you’re in the clear

A ‘better’ standard

The new standard has improved in many ways, which will ultimately help organisations become more resilient and protect card data more effectively. Requirements are better ordered, there are new ways to achieve compliance for example through the customised approach, and technology – specific requirements have been made agnostic.

The introduction of a new customised validation approach, one of the biggest new changes brought in version 4.0, which allows companies to comply by showing that the intent of the requirement is met without needing to provide an operational or technical justification. This approach will require more work than complying with all of the rules of PCI DSS but does allow for some additional flexibility that could appeal to mature organisations.

There is also a clearer way of recording the fact that a merchant or service provider was previously not meeting the standard’s requirements but has subsequently made corrections to ensure it is now compliant.  This would apply, for example, if a company forgot to run a quarterly ASV vulnerability scan. 

In this instance, a company would need to show that the failure has been analysed and a robust process has been put in place to address the issue. This should make for more straightforward conversations with Qualified Security Assessors (QSAs) in the event of an organisation failing to meet PCI DSS requirements.

Why get compliant now?

Moving to the new version sooner gives an organisation the chance to develop a clear plan and roadmap to achieve compliance. In my experience as a consultant on PCI DSS compliance, there are still major merchants and service providers who are not compliant with version 3.2.1. This should obviously never be the case; however, the introduction of a new version should serve as motivation to close any gaps in a company’s compliance program.

The advent of version 4.0 is a perfect time for compliance teams to make it clear to management, that board support for a push to compliance is as good for a currently compliant merchant as it is for a merchant who is in the risky position of not being compliant. The larger your organisation the longer it will take to make the necessary changes to be ready for version 4.0, so avoiding a delay can only be seen as prudent.

Reducing the risk and impact of a breach

Finally, though there are new controls in the standard that are not going to be compulsory until end of March 2025, every single new control improves a company’s security stance and makes it less likely to be breached for the card holder data it handles. 

Any merchant complying with the full version 4.0 standard including the future dated requirements will have established that they are meeting the highest possible bar and only improve their resilience to a breach.

As often happens in these cases, some merchants and service providers will continue attesting to version 3.2.1 up to the latest date possible. The problem with this approach is that waiting until 2025 opens your organisation up to considerable risk. For instance, though version 3.2.1 is only being retired in March 2024, a breach in April 2024 for an organisation that is not version 4.0 ready would (rightly) introduce some serious regulatory scrutiny.

If you are responsible for PCI DSS compliance in your organisation, we strongly recommend that you conduct a review of the current compliance, and the impact on that when you move to version 4.0.  Then make sure you have a plan in place to meet any new compliance requirements. Be one of the first to meet all of the new requirements: time is of the essence.