With v3.2.1 being retired on March 31, 2024, Payment Card Industry members have four months to complete assessments already in progress
Key Deadlines are Looming
The newest version of the PCI Data Security Standard, PCI DSS v4.0, was released more than a year ago, on March 31, 2022. Its new requirements number more than 60, the majority of which must be implemented by payment card industry members no later than March 31, 2025. This implementation timeline allows three full years to achieve compliance with the new requirements—so there is no excuse for failing to comply with v4.0 by March 31, 2025. In fact, members of the industry should already be well on their way toward incorporating this upgrade in their organizations.
The previous PCI Data Security Standard (version 3.2.1) will be officially retired in less than four months—on March 31, 2024. If you are currently engaged in a security assessment against v3.2.1, you will need to complete that assessment by March 31, 2024.
Note: If you are not so engaged, you will need to embrace the v4.0 requirements prior to your next annual assessment, since after March 31, 2024, assessments can only be performed against PCI DSS 4.0.
Reason for the Upgrade to PCI DSS 4.0
The use of credit, debit, and other payment cards, and the value of payment card transactions, continue to set records every year as consumers worldwide use their cards to acquire goods and pay for services. Card transactions reached a record $625 billion (USD) globally in 2022, up 7.5% over 2021, according to Statista.
With this unprecedented use, personally identifiable information and payment card data is at greater risk than ever before. Resulting data breaches have generated unfavorable press for hospitality giants like MGM Resorts, Marriott Hotels, and Carnival Corporation and have also plagued smaller organizations.
To stay ahead of increased risks as well as new and emerging threats, the Payment Card Industry updates its Data Security Standard periodically. Most recently, v4.0 imposes more than 60 new, more stringent security requirements. The PCI DSS 4.0 is the latest, most comprehensive security framework to keep your data safe and secure.
Compliance is not an option, and the deadline for compliance with v4.0 is looming for merchants, third-party service providers, and card payment processors alike.
Overview of Annual Security Assessment
Regular security assessments enable payment card industry members to demonstrate their compliant implementation of the security requirements that apply to them. All industries with robust security requirements, and that is most industries nowadays, mandate that their members prove compliance on a regular basis. The frequency of security assessments varies from one industry to the next, with the payment card industry requiring annual assessments.
Depending on several factors, assessments may have to be conducted by third-party Qualified Security Assessors, or self-assessments may be permitted. Qualified Security Assessors are specifically authorized by the Payment Card Industry Security Standards Council to conduct assessments for their members.
Regardless of whether third-party assessment or self-assessment is applicable, specific procedures and forms must be used to conduct and document each annual assessment.
The Report on Compliance (ROC) outlines the security posture, environment, systems, and cardholder data protection measures in place at merchant organizations. Level 1 merchants (i.e., having more than six million transactions per year with Visa or Mastercard) must have a Report on Compliance from their QSA. Examples of other documentation requirements include:
- Level 1 Merchants – ROC and Quarterly External Vulnerability Scans
- Level 2 Merchants – ROC, or appropriate SAQ, and Quarterly External Vulnerability Scans (depending on card brand requirements)
- Level 3 Merchants – Appropriate SAQ and Quarterly External Vulnerability Scans
Merchant Applicability. According to the PCI DSS website, “PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protection, which can help reduce their PCI DSS compliance effort.
Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or their payment brand.”
Completing Your PCI DSS 3.2.1 Assessment with a Qualified Security Assessor
Qualified Security Assessors (QSAs) are authorized by the PCI Security Standards Council to assist industry members with their annual security assessments, including self-assessments where applicable.
24By7Security is a QSA for version 3.2.1 (as well as v4.0) of the PCI Data Security Standard, and can assist members of the payment card industry with the following assessment activities:
- Review of cardholder data storage locations and formats
- Review of access controls
- Preparation of Self-Assessment Questionnaire, as appropriate
- Assisting toward PCI DSS compliance through the Prioritized Approach Tool, if applicable
- Review of existing agreements, documentation, and operating policies and procedures
- Developing compliant policies and procedures for payment cards, as needed
- Conducting network vulnerability scans, as required
- Recommending improvements to the payment card process
- Providing security awareness training with specific emphasis on data privacy and management of cardholder data
- Training developers in secure programming techniques
- Assisting with remediation of compliance gaps
- Providing validation and certification of PCI DSS compliance once all requirements are met
- Assisting with the preparation of the Report on Compliance (ROC) and the Attestation of Compliance (AOC), as required to complete the annual security assessment.
Qualified Security Assessors are able to assist merchants, third-party service providers, and card payment processors in successfully completing these and other tasks required for PCI DSS 3.2.1 compliance.
Completing Your PCI DSS 3.2.1 Self-Assessment
The PCI Security Standards Council has made eight self-assessment options available through the use of various Self-Assessment Questionnaires or SAQs. Following is a list of the eight SAQ forms. Selecting the appropriate form for your organization depends on several specifications, as described on the PCI DSS website and in this article on SAQs.
|
SAQ A |
SAQ B |
SAQ C |
SAQ P2PE |
|
SAQ A-EP |
SAQ B-IP |
SAQ C-VT |
SAQ D |
Each of the eight Self-Assessment Questionnaires has its own distinct set of instructions. Among them, a few are common across all SAQs. To provide just one example of the essential steps of self-assessment, the instructions below are taken from SAQ A above.
- Confirm that your environment is properly scoped and that it meets the eligibility criteria for the SAQ you are using.
- Assess your environment for compliance with the applicable PCI DSS requirements for that SAQ.
- Complete all sections of the SAQ document, including:
- Section 1 (Parts 1 & 2) – Assessment Information and Executive Summary
- Section 2 – Self-Assessment Questionnaire
- Section 3 (Parts 3 & 4) – Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable).
- Submit the completed Self-Assessment Questionnaire and Attestation of Compliance, along with any other requested documentation, to your merchant bank or payment card brand in accordance with their specific instructions.
Your merchant bank or payment card brand will review your documentation and will contact you if additional information is needed.
Summary
Any merchants, processors, and third-party service providers who have a security assessment or self-assessment in progress against PCI DSS 3.2.1 should be taking specific actions now to complete those assessments by March 31, 2024. After this date, all annual assessments will be required to comply with v4.0 of the PCI DSS.
Professional assistance is available from Qualified Security Assessors authorized by the PCI Security Standards Council. QSAs are able to assist merchants, third-party service providers, and card payment processors in completing the activities required for the final security assessment to PCI DSS 3.2.1 requirements. Contact an assessor immediately to help you meet the deadline.
The most current version of the PCI Data Security Standard, v4.0, introduced significant and extensive updates to the standard’s requirements, as well as the forms and reports used to assess and validate compliance. Watch this blog for additional information and regular updates on PCI DSS 4.0 and its impact on annual security assessments.
