Members of the payment card industry, including merchants who accept payment cards, are required to upgrade to v4.0 of the PCI Data Security Standard
Payment card use continues to set records each year, and 2022 is no exception as American consumers and their counterparts worldwide used their payment cards to acquire goods and pay for services.
In 2022, global card transactions reached a record $625 billion (USD), up 7.5% over 2021, according to Statista. Statista tracks volumes, trends, and other statistics across a variety of industries, including payment card transaction volumes.
The Nilson Report also tracks payment card industry data, and its latest report indicates that the purchase of goods and services using credit, debit, and prepaid cards reached a record $40.6 trillion (USD) in 2022, up 4.4% over 2021. These volumes are significantly higher because they include credit card cash advances and debit card withdrawals worldwide.
With consumers using their payment cards in unprecedented fashion, sensitive data and personally identifiable information is flying around the internet in record numbers. Hackers and other cybercriminals are watching eagerly—and in many cases doing more than just watching. Data breaches that have compromised card data and personal information have created unwelcome headlines for MGM Resorts, Marriott Hotels, and Carnival Corporation, to name a few. Which is why the Payment Card Industry recently upgraded the Data Security Standard with extensive new security requirements.
PCI DSS 4.0 Compliance Timeline
The new PCI DSS 4.0 version was released just over a year ago, on March 31, 2022. It must be fully adopted by payment card industry members not later than March 31, 2025. Until that date, aside from the 13 requirements for immediate adoption, the remainder of the new v4.0 requirements are to be treated as best practices.
The previous PCI DSS (version 3.2.1) will be officially retired next spring, on March 31, 2024. This timeline provides plenty of time for organizations who are currently assessing their security against the v3.2.1 requirements to complete those assessments and submit the necessary documentation.
The overall implementation timeline allows three years from the date of the v4.0 release, so there is no excuse for failing to comply with v4.0 by March 31, 2025. Members of the industry should already be well on their way toward incorporating that upgrade.
The Ugly Truth About PCI DSS Compliance
With every transaction, our names, credit and debit card numbers, expiration dates, security codes, and other personal cardholder data are scanned and transmitted by electronic devices, web applications, and mobile apps that vary wildly in terms of technology and security.
The Payment Card Industry’s Data Security Standard, with its 12 security requirements based on six fundamental security principles, is designed to guide merchants, payment processors, and third-party service providers in maintaining security safeguards that effectively protect our payment card data during and after these transactions. Compliance with the PCI DSS significantly reduces vulnerabilities that present open doors for hackers.
The ugly truth about compliance, however, is that in Verizon’s ten years of investigating and reporting on PCI DSS compliance for its highly regarded annual Payment Security Report, the company has never encountered an organization that was fully compliant at the time it was breached. Similarly, a study by SecurityMetrics found that only 43% of PCI DSS requirements had been met when card data was breached.
The 2022 Data Breach Investigations Report, also published annually by Verizon, recorded 156 security incidents with at least 69 resulting in confirmed data disclosures. According to the report, the three leading sources of data breaches in the hospitality industry—where payment card use is ubiquitous—are email, web apps, and desktop sharing software. These account for 90% of all hospitality data breaches.
Security executives owe it to their customers to take PCI DSS compliance seriously. Directors, shareholders, and investors also have an enormous stake in the payment card industry and a vested interest in maintaining rigorous, compliant security. The Payment Card Industry Data Security Standard is the means to that end, and v4.0 is the latest, most comprehensive security framework.
Four Things You Must Do to Comply with PCI DSS 4.0
Four fundamental activities are essential for compliance with PCI DSS 4.0 in order to improve the security of payment account data and better protect your card-happy customers. These four steps are broad categorizations of what merchants need to do. We recommend that all merchants and assessors read the new standard in full and determine how they will best need to comply with PCI DSS 4.0 for their particular situations.
- Assessment. This activity involves identifying the locations of all payment account data within your organization, as well as taking an inventory of all information technology assets and business processes associated with payment processing. It includes analyzing those processes and assets for vulnerabilities that could expose payment account data, and then implementing or updating all necessary controls. This step concludes with the completion of a formal PCI DSS 4.0 assessment.
- Remediation. This step includes identifying and addressing any gaps in your security controls, fixing all vulnerabilities that were identified during the assessment step, and implementing secure business processes. It also requires that you securely remove any payment data that is being stored unnecessarily or beyond its use.
- Reporting. Reporting involves documenting your assessment and remediation details and submitting a formal Report on Compliance to the compliance-accepting entity, which is typically your acquiring bank or payment card brand.
- Monitoring and Maintenance. Rather than being a final step, this ongoing activity includes (1) the constant monitoring of security controls and safeguards that have been put in place to secure payment account data and (2) maintaining those controls on an active and current basis.
PCI DSS 4.0 compliance is an ongoing process, and these steps must be repeated annually by merchants and other payment card industry members. Merchants who process more than six million transactions annually (Level 1 merchants) must engage a Qualified Security Assessor (QSA) to conduct their annual assessments and produce Reports on Compliance.
Level 2, 3 and 4 merchants are generally eligible to conduct annual self-assessments using a formal Self-Assessment Questionnaire. They must also complete an Attestation of Compliance testifying to the results of their assessment.
All merchants must submit external quarterly vulnerability scans using an Approved Scanning Vendor (ASV) to further demonstrate their compliance.
Next Steps in Adopting PCI DSS 4.0
The new requirements of PCI DSS 4.0 must be incorporated into all new assessments and related documentation. In its extensive Document Library, the PCI Security Standards Council has posted new templates for reports on compliance, self-assessment questionnaires, and attestations of compliance, along with a 492-page document that reflects all of the new requirements of PCI DSS 4.0 to enable thorough assessments to be conducted.
Qualified Security Assessors, including 24By7Security Inc., have been trained in the v4.0 update and are available to assist with assessments at any time. Be sure to contact a Qualified Security Assessor soon to schedule your assessment, as QSAs book up quickly. Organizations eligible for self-assessment should engage a professional cybersecurity and compliance firm, such as 24By7Security, for assistance in navigating the v4.0 changes. The longer you delay the more likely you are to miss the compliance deadline.
The release of PCI DSS 4.0 in March 2022 introduced significant and extensive updates to the Data Security Standard, and to the forms and reports required to assess and validate compliance. The previous v3.2.1 will be officially retired in less than nine months, on March 31, 2024, and unless you are currently actively engaged in an assessment against that version, you will need to embrace v4.0 requirements prior to your next annual assessment. PCI DSS 4.0 compliance is more than just a great idea—it is mandatory in the payment card industry.