Payment card industry members can still conduct security assessments to PCI DSS 3.2.1, provided they’re done by March 31st
The legacy PCI Data Security Standard, v3.2.1, will be officially retired on March 31, 2024. If you are currently engaged in a security assessment in this legacy environment, you will need to complete that assessment by March 31, 2024.
If you have an assessment due in the next 12 months, you still have time to assess to v3.2.1 by March 31, 2024 to meet that obligation. The elegance of this strategy is that it completes your annual assessment for 2024 and, in doing so, buys you a full year to implement the requirements of the new PCI DSS 4.0, which must be in place by March 31, 2025.
The payment card industry requires assessments every year. It also requires vulnerability tests every 90 days for larger merchants. Annual security assessments enable merchants, card processors, and third-party service providers to demonstrate their compliance by documenting that they have implemented the security requirements that apply to them.
Why You Need to Decide Now
The PCI DSS 3.2.1 assessment strategy outlined above is valid, smart, and realistic—provided you get started now and engage professional assistance.
Conducting one final assessment to v3.2.1 will take much less time than performing your first assessment to v4.0 because, after all, you’ve been assessing to v3.2.1 and complying with its requirements for six years. In 2018, v3.2.1 was adopted by the PCI Security Standards Council as the new data security standard.
Conducting one more assessment against v3.2.1 will give you the necessary advantages of convenience and speed. And to ensure you meet the March 31, 2024 deadline for this assessment, engage qualified professional assistance as soon as possible.
Six Reasons to Engage a Qualified Security Assessor ASAP
Qualified Security Assessors (QSAs) are specifically authorized by the Payment Card Industry Security Standards Council to conduct security assessments for industry members, and can also guide you through any of the eight self-assessments, if applicable to your organization. Engaging professional assistance will keep your v3.2.1 security assessment focused, on track, and moving forward briskly.
Your QSA will bring high value to the assessment in several key ways:
-
Documentation: Specific procedures and forms are required in conducting and documenting your assessment, and QSAs are authorized to execute these procedures and forms.
-
Management Support. An experienced QSA can assist you in obtaining support for the security assessment from your management team.
-
Instilling Urgency. By developing a sense of urgency within your organization, a QSA can help to smooth the assessment path and resolve any obstacles that could interfere with successful completion.
-
Laser Focus. An experienced QSA will remain focused on the March 31, 2024 assessment deadline, and will not be influenced by internal or external distractions.
-
Complete Assistance. QSAs will be able to conduct all of the required assessment activities. They can also assist with remediation of compliance gaps, and provide validation and certification of PCI DSS compliance once all requirements are met.
-
Final Reports. Your QSA can help prepare the Report on Compliance (ROC) and the Attestation of Compliance (AOC) to complete your annual security assessment, and guide you in submitting the forms.
For your convenience, the PCI website provides a current list of Qualified Security Assessors. 24By7Security is one of them, and as an experienced QSA we can readily assist you with all activities required by your v3.2.1 assessment. We are also a Qualified Security Assessor for PCI DSS 4.0. In this PCI DSS compliance countdown, you should be reaching out to engage a QSA now.
Five Steps to be Completed by March 31, 2024
There are five essential steps in your v3.2.1 assessment, and this step-by-step process needs to be commenced as soon as possible in order to meet the March 31, 2024 deadline for completion.
Step 1: Your Qualified Security Assessor will conduct your security assessment against the requirements of v3.2.1, which has been the standard since 2018 and will be retired on March 31, 2024. Since your organization should have been in full compliance with v3.2.1 at the time of the previous assessment, current areas of non-compliance should be easy to identify.
Step 2: Your QSA will complete a Report on Compliance (ROC) summarizing the assessment. Findings identified in the ROC will include areas where you have slipped out of compliance with v3.2.1, and where remediation is required to achieve compliance. Typically, remediation must occur prior to completion of the AOC in Step 3.
Step 3: As the QSA client, you will execute the Attestation of Compliance (AOC), in which you attest that the completed ROC is valid and that your organization is back in compliance with v3.2.1. In order to make such attestation, any gaps in compliance will need to have been resolved at this point.
Step 4: The signed ROC and AOC will then be submitted to your acquiring bank for review.
Step 5: Assuming the bank accepts your documentation, the bank will forward it for further review to the payment brands whose cards you accept (i.e., Amex, MasterCard, Visa, and a few others).
After you’ve met the March 31, 2024 deadline, your organization will continue to conduct business as usual until you hear back from your merchant bank or payment card brand(s) with any requests for action, such as additional remediation activities.
What Happens After March 31, 2024
By regulation, you will need to adopt the v4.0 requirements prior to your first v4.0 security assessment. PCI DSS 4.0 imposes 64 new requirements that must be implemented by payment card industry members not later than March 31, 2025.
Although the deadline for compliance with PCI DSS 4.0 is currently 15 months away, this is actually not much time to complete (1) implementation of the 64 new security requirements, and (2) your first security assessment against v4.0.
The fact is that more than a year has elapsed since v4.0 was released in March of 2022. Since that time, forward-thinking merchants, third-party service providers, and card payment processors have begun their preparations to adopt the new requirements within their organizations.
Summary
Security assessments and self-assessments that are already in progress against PCI DSS 3.2.1 will need to be completed by March 31, 2024. And if you are currently due for an annual assessment, it is not too late to conduct a v3.2.1 assessment—provided you act now. Only three months remain, and the clock is ticking loudly in this compliance countdown.
Qualified Security Assessors, such as 24By7Security, are authorized to assist merchants, third-party service providers, and card payment processors in successfully completing their final v3.2.1 security assessments as well as their upcoming v4.0 assessments. QSAs can also help you determine which of the new requirements of v4.0 apply to your particular organization, and then assist you in prioritizing and implementing them.
