The newest version of the PCI Data Security Standard, PCI DSS v4.0, was released more than a year ago, on March 31, 2022. Its new requirements number more than 60, the majority of which must be implemented by payment card industry members no later than March 31, 2025. This implementation timeline allows three full years to achieve compliance with the new requirements—so there is no excuse for failing to comply with v4.0 by March 31, 2025. In fact, members of the industry should already be well on their way toward incorporating this upgrade in their organizations.
The previous PCI Data Security Standard (version 3.2.1) will be officially retired in less than four months—on March 31, 2024. If you are currently engaged in a security assessment against v3.2.1, you will need to complete that assessment by March 31, 2024.
Note: If you are not so engaged, you will need to embrace the v4.0 requirements prior to your next annual assessment, since after March 31, 2024, assessments can only be performed against PCI DSS 4.0.
The use of credit, debit, and other payment cards, and the value of payment card transactions, continue to set records every year as consumers worldwide use their cards to acquire goods and pay for services. Card transactions reached a record $625 billion (USD) globally in 2022, up 7.5% over 2021, according to Statista.
With this unprecedented use, personally identifiable information and payment card data is at greater risk than ever before. Resulting data breaches have generated unfavorable press for hospitality giants like MGM Resorts, Marriott Hotels, and Carnival Corporation and have also plagued smaller organizations.
To stay ahead of increased risks as well as new and emerging threats, the Payment Card Industry updates its Data Security Standard periodically. Most recently, v4.0 imposes more than 60 new, more stringent security requirements. The PCI DSS 4.0 is the latest, most comprehensive security framework to keep your data safe and secure.
Compliance is not an option, and the deadline for compliance with v4.0 is looming for merchants, third-party service providers, and card payment processors alike.
Regular security assessments enable payment card industry members to demonstrate their compliant implementation of the security requirements that apply to them. All industries with robust security requirements, and that is most industries nowadays, mandate that their members prove compliance on a regular basis. The frequency of security assessments varies from one industry to the next, with the payment card industry requiring annual assessments.
Regardless of whether third-party assessment or self-assessment is applicable, specific procedures and forms must be used to conduct and document each annual assessment.
The Report on Compliance (ROC) outlines the security posture, environment, systems, and cardholder data protection measures in place at merchant organizations. Level 1 merchants (i.e., having more than six million transactions per year with Visa or Mastercard) must have a Report on Compliance from their QSA. Examples of other documentation requirements include:
Merchant Applicability. According to the PCI DSS website, “PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protection, which can help reduce their PCI DSS compliance effort.
Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or their payment brand.”
Qualified Security Assessors (QSAs) are authorized by the PCI Security Standards Council to assist industry members with their annual security assessments, including self-assessments where applicable.
24By7Security is a QSA for version 3.2.1 (as well as v4.0) of the PCI Data Security Standard, and can assist members of the payment card industry with the following assessment activities:
Qualified Security Assessors are able to assist merchants, third-party service providers, and card payment processors in successfully completing these and other tasks required for PCI DSS 3.2.1 compliance.
The PCI Security Standards Council has made eight self-assessment options available through the use of various Self-Assessment Questionnaires or SAQs. Following is a list of the eight SAQ forms. Selecting the appropriate form for your organization depends on several specifications, as described on the PCI DSS website and in this article on SAQs.
|
SAQ A |
SAQ B |
SAQ C |
SAQ P2PE |
|
SAQ A-EP |
SAQ B-IP |
SAQ C-VT |
SAQ D |
Each of the eight Self-Assessment Questionnaires has its own distinct set of instructions. Among them, a few are common across all SAQs. To provide just one example of the essential steps of self-assessment, the instructions below are taken from SAQ A above.
Your merchant bank or payment card brand will review your documentation and will contact you if additional information is needed.
Any merchants, processors, and third-party service providers who have a security assessment or self-assessment in progress against PCI DSS 3.2.1 should be taking specific actions now to complete those assessments by March 31, 2024. After this date, all annual assessments will be required to comply with v4.0 of the PCI DSS.
Professional assistance is available from Qualified Security Assessors authorized by the PCI Security Standards Council. QSAs are able to assist merchants, third-party service providers, and card payment processors in completing the activities required for the final security assessment to PCI DSS 3.2.1 requirements. Contact an assessor immediately to help you meet the deadline.
The most current version of the PCI Data Security Standard, v4.0, introduced significant and extensive updates to the standard’s requirements, as well as the forms and reports used to assess and validate compliance. Watch this blog for additional information and regular updates on PCI DSS 4.0 and its impact on annual security assessments.