Background
The Payment Card Industry (PCI), as it’s known today, was created by five major credit card brands with the chartering of the PCI Security Standards Council (SSC). The council oversees the development of several security standards, all of which build on the common goal of protecting payment card data. The primary framework for organizations that transmit, process, or store cardholder data—either as a merchant or a service provider—is the PCI Data Security Standard (DSS).
The PCI DSS v4.0 is a significant upgrade from its predecessor, v3.2.1, which was released in 2018. The transition from v3.2.1 to v4.0 addresses the latest security challenges and incorporates modern best practices to protect payment card data in an environment where risk is rising daily. According to the 2022 Verizon Payment Security Report, fewer than half of organizations surveyed maintain sustainable control environments around cardholder data. Given that v4.0 of the framework introduces new and enhanced security practices, as well as new reporting formats, organizations need to invest sufficient time and resources to update their compliance programs. Failure to incorporate new requirements could impair compliant PCI reporting, and attempting to address v4.0 requirements during a PCI assessment is unlikely to lead to compliance issues.
Dates to Know
The updated requirements are available now and will begin going into effect in a staggered approach, starting April 1, 2024.
March 31, 2024 – the PCI DSS v3.2.1 is officially retired and no longer used for assessments by the PCI.
April 1, 2024 – a set of the new practice requirements becomes mandatory and must be assessed as part of any PCI DSS compliance assessment. This includes:
- Defining and documenting roles and responsibilities for all PCI DSS activities
- Fully defined and documented PCI scope definition
The new v4.0 Report on Compliance (ROC) and Self-Assessment Questionnaires (SAQs) must be used, as well.
April 1, 2025 – all new requirements under PCI DSS v4.0 become mandatory. This grants entities a year from the retirement of v3.2.1 to transition to heightened security measures.
Effective Compliance
With the transition to PCI DSS v4.0, effective compliance with all the updated provisions is of the utmost importance. To comply with all the provisions, it is critical to define and document accurate and effective scoping, assign responsibility for PCI governance within your organization, and invest in the right tools and technologies. Implementing Business as Usual (BAU) controls and ongoing management overseeing these changes is also imperative.
Finally, the integration of governance, risk management, compliance systems, and continuous audit processes, along with the other methods, can help set an organization up for success in complying with PCI DSS v4.0.
Breaking Down v4.0 of the Data Security Standard
In a previous article titled, “Top 10 Changes Coming to PCI Compliance in DSS v4.0,” we discussed the most important changes to be implemented by the March 31, 2025 deadline.
Below you will find a downloadable checklist outlining some of the most important changes that you will need to incorporate through that time. The tool can be used to help prioritize critical compliance tasks through your transition period.
How FORVIS Can Help
FORVIS is a PCI Qualified Security Assessor Company (QSAC) and provides assessment and advisory services for merchants and service providers of various sizes across the country. Our professionals work with clients to help build and adapt risk management capabilities and PCI compliance programs in times of significant growth and regulatory change.
FORVIS recommends all organizations that must maintain PCI compliance immediately begin working with a QSAC to help prepare for the v4.0. If you would like more information about PCI DSS v4.0 or other PCI-related topics, reach out to a professional at FORVIS.
Unlock FORVIS’ PCI DSS v4.0 Checklist
Download this checklist to help you prioritize critical compliance tasks through your transition period.