Blog | 24By7Security

PCI Compliance Deadlines are Looming for Merchants and Others in the Payment Card Industry

Written by Sanjay Deo | January, 16 2024

We’re on the home stretch for PCI DSS 3.2.1 assessments before v3.2.1 is retired on March 31, 2024

It’s Time to Make an Important Decision

The previous PCI Data Security Standard (version 3.2.1) will be officially retired in just over two months—on March 31, 2024. There is still time to conduct a security risk assessment in your PCI DSS 3.2.1 environment, by this deadline, provided you begin now.

Once this window closes, you will need to implement the multitude of new requirements of PCI DSS 4.0, which is the current version of the Data Security Standard launched more than a year ago, on March 31, 2022.

After the upcoming March 31, 2024 deadline, your next security risk assessment will have to be conducted against v4.0 and you will need to comply with those new requirements before your assessment. You will also need to conduct the required scoping exercise.

Assessing against v3.2.1 will be much easier and faster than your first assessment against v4.0 will be, due to the learning curve associated with the new requirements. This is why the v3.2.1 assessment is strongly recommended for organizations who are due for their annual risk assessment now, or who may even be overdue.

Why the 4.0 Standard was Developed

Cybercrime and cybersecurity are constantly evolving as one side attempts to outperform the other in an endless game of leap frog. It’s a story similar to the competing use of radar guns by police and radar detectors by speedy motorists. As one technology advances, the counter-technology tends to advance in response.

The unprecedented use of payment cards puts card data and personal information at great sustained risk of security exploits and privacy breaches. Purchases of goods and services using payment cards reached record levels of $3.2 trillion in 2022, according to the Consumer Finance Protection Bureau. Exploited vulnerabilities in card handling, payment transmission, data storage, and other elements of the payment card environment usually lead to data breaches that result in non-compliance penalties and heavy financial costs for breached organizations.

With PCI DSS 3.2.1 first introduced more than six years ago, in 2018, the Payment Card Industry Security Standards Council recently released the next generation of security and privacy safeguards to afford its members more advanced and effective data protection.

The Next PCI Compliance Deadline is March 31, 2024

The newest and most comprehensive security framework was launched on March 31, 2022 as PCI DSS 4.0. Merchants, third-party service providers, and payment card processors are required to comply with the new standard no later than March 31, 2025.

GREAT NEWS: Currently, annual assessments may be conducted against the new PCI DSS 4.0 requirements or against the still-valid PCI DSS 3.2.1 requirements. The deadline for completing all remaining v3.2.1 assessments is less than three months away—on March 31, 2024. This assessment is a realistic choice, provided you act now. And it is a choice with many advantages, which is why so many industry members are completing their final v3.2.1 assessments now.  

Subsequent annual assessments must evaluate the implementation and compliance to v4.0 requirements. These include 64 new security and privacy requirements not addressed in the previous version.

PRIVACY NOTE: To learn more about data privacy, visit the National Cybersecurity Alliance website. Data Privacy Week 2024 begins this Sunday, January 21. Throughout the week, excellent webinars and other resources are freely available.

Engage a Qualified Security Assessor to Complete Your Assessment by the Deadline

In most cases, annual security assessments must be conducted by third-party Qualified Security Assessors (QSAs). In certain cases, according to very specific criteria, self-assessments may be permitted. Qualified Security Assessors are specifically authorized by the Payment Card Industry Security Standards Council to conduct third-party assessments for their members and may also assist with self-assessments.

Regardless of whether third-party assessment or self-assessment applies to you, specific procedures and forms must be used to conduct and document each annual assessment. Qualified Security Assessors such as 24By7Security are experienced in navigating the third-party and self-assessment processes, including all applicable forms and procedures.

Whether the Report on Compliance (ROC) is required, or one of the Self-Assessment Questionnaires (SAQs) can be used, is determined by the volume of payment card transactions a merchant processes each month. Generally, quarterly external vulnerability scans are also required. Your QSA will know what you need as well as the applicable PCI compliance deadlines.

For organizations conducting one final assessment against v3.2.1, engaging an experienced QSA can help you get the job done successfully by the deadline of March 31, 2024.

Submitting Findings from Annual Assessment Activities

Is your organization due for its annual assessment? At present, unless you have implemented all of the new security and privacy requirements of v4.0, it will be simpler and faster to conduct your assessment against v3.2.1. Especially with the assistance of an experienced QSA.

Outlined below are examples of the assessment activities required for the 3.2.1 Data Security Standard

  • Review of cardholder data storage locations and formats, access controls, existing agreements, documentation, and operating policies and procedures
  • Developing compliant policies and procedures for payment cards
  • Conducting network vulnerability scans
  • Providing security awareness training with specific emphasis on data privacy and management of cardholder data
  • Training developers in secure programming techniques
  • Assisting with remediation of compliance gaps
  • Providing validation and certification of PCI DSS compliance once all requirements are met, including the Report on Compliance and Attestation of Compliance required to complete the annual security assessment
  • Preparation of Self-Assessment Questionnaire, as appropriate.

As a Qualified Security Assessor, 24By7Security is authorized to conduct assessments for PCI DSS 3.2.1 as well as for PCI DSS 4.0.

Completing Your PCI DSS 3.2.1 Self-Assessment

PCI compliance deadlines apply to organizations who are eligible to complete self-assessments, as well as to those who must conduct third-party assessments. Eight self-assessment options are available through the use of various Self-Assessment Questionnaires or SAQs. Selecting the appropriate form for your organization depends on several specifications, as described on the PCI DSS website.

Each of the eight Self-Assessment Questionnaires has its own distinct set of instructions. Among those instructions, a few are common across all SAQs. As just one example of the essential steps of self-assessment, the instructions below are from SAQ A.

  1. Confirm that your environment is properly scoped, and that it meets the eligibility criteria for the SAQ you are using.
  2. Assess your environment for compliance with the applicable PCI DSS requirements for that SAQ.
  3. Complete all sections of the SAQ document.
  4. Submit the completed SAQ and signed Attestation of Compliance, along with any other requested documentation, to your merchant bank or payment card brand in accordance with their specific instructions.

Your merchant bank or payment card brand will review your documentation, and will contact you if additional information is needed.

Scoping Exercise Required Before Each PCI DSS 4.0 Assessment

Forward-thinking organizations began preparations to implement the new requirements of v4.0 when it was introduced in March 2022. Many of these organizations are well on their way to full implementation, and some have even completed that process. These organizations are in excellent position to conduct their annual security assessments to the new PCI DSS 4.0 requirements.

Prior to performing your annual PCI DSS 4.0 assessment, you will need to conduct a formal, well-documented annual scoping exercise, as specified in requirement 12.5.2. The annual scoping exercise, which entails significant work by the merchant or third-party service provider each year, is required to ensure that changes in your data environment and organization are represented in your next annual assessment. 

PCI DSS 4.0 assessments are likely to be complex and labor-intensive, and with a longer learning curve for most organizations. That’s why it makes sense to engage a Qualified Security Assessor to ensure a smooth and thorough assessment—especially for the first one.

Summary

Payment card industry members who have a security assessment or self-assessment due by March 31, 2024, should seriously consider conducting a PCI DSS 3.2.1 assessment. There is still time to do so, and it will be easier and faster than the initial v4.0 assessment with its myriad new requirements. After March 31, 2024, all annual assessments will be required to comply with PCI DSS 4.0.

Professional assistance is available from Qualified Security Assessors authorized by the PCI Security Standards Council. QSAs are able to assist merchants, third-party service providers, and card payment processors in successfully completing the activities necessary for assessments to PCI DSS 3.2.1 and 4.0 requirements. Contact an assessor immediately for assistance in meeting your PCI compliance deadlines.