Payment card industry members currently have the option of assessing v3.2.1 or v4.0 to maintain compliance. These FAQs will help you decide.
Annual security assessments enable payment card industry members to demonstrate that they have implemented the security requirements that apply to them, thus proving their compliance. The payment card industry requires assessments every year. It also requires vulnerability tests every 90 days for larger merchants.
According to the PCI DSS website, “PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protection, which can help reduce their PCI DSS compliance effort.
“Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or their payment brand.”
In most cases, if you have not completed an assessment in 12 months, you are out of compliance and need to arrange for a security assessment as soon as possible.
The legacy PCI Data Security Standard, v3.2.1, will be officially retired on March 31, 2024. If you are currently engaged in a security assessment against v3.2.1, you will need to complete that assessment by March 31, 2024.
If you have an assessment due in the next 12 months, there is still time to assess v3.2.1 by March 31, 2024, provided you get started soon. The clock is ticking!
PCI DSS 3.2.1 has been the prevailing standard for compliance since 2018. As such, it is well known to PCI industry members, who have been maintaining compliance with this standard for the past six years.
All of your recent annual assessments have evaluated your compliance with the requirements of v3.2.1. Conducting one more assessment against v3.2.1 will be familiar and convenient and will take less time than preparing for your first v4.0 assessment.
Yes, it is. You already have performed a handful of these assessments in recent years, and the process will be the same. However, you need to take steps now to start the assessment, since your assessment may have to be conducted by a third-party Qualified Security Assessor if the self-assessment option is not available to you. (The ability to self-assess depends on several factors, as discussed later in this FAQ.) Contact a QSA today for guidance.
As part of the countdown to compliance, an experienced QSA can also assist you in obtaining support for the security assessment from your management team. And by developing a sense of urgency within the organization, your QSA can help to smooth the assessment path and resolve any obstacles that could interfere with successful completion.
The primary required document is the Report on Compliance (ROC), which outlines the security posture, environment, systems, and cardholder data protection measures in place at merchant organizations.
The Self-Assessment Questionnaire (SAQ) is another example of assessment documentation. There are eight different available SAQ forms depending on very specific merchant card processing criteria.
Following is an overview of the required v3.2.1 documentation, which your QSA can assist you in completing and submitting:
QSAs are able to assist members of the payment card industry with all of the required assessment activities. These include, but are not limited to, reviewing cardholder data storage locations and formats, and access controls. Reviewing existing agreements, documentation, and operating policies and procedures. Assisting in use of the Prioritized Approach Tool and Self-Assessment Questionnaire, as applicable. Conducting network vulnerability scans, training developers in secure programming techniques, and providing security awareness training with specific emphasis on data privacy and management of cardholder data.
Importantly, QSAs can also assist with remediation of compliance gaps, provide validation and certification of PCI DSS compliance once all requirements are met, and assist in preparing the Report on Compliance (ROC) and the Attestation of Compliance (AOC) to complete your annual security assessment.
24By7Security is an experienced QSA and, as such, can readily assist you with these and other activities required by your v3.2.1 assessment. We are also an authorized v4.0 QSA.
There are five main steps in your v3.2.1 assessment, as follows:
Your organization will continue to conduct business as usual until you hear back from your merchant bank or payment card brand(s).
Begin by reviewing the list of criteria for each of the eight available Self-Assessment Questionnaires (SAQs). Then, select the SAQ that best describes your organization. The PCI DSS website provides detailed information to assist you, as does this article on SAQs.
The Payment Card Industry updates its Data Security Standard periodically in light of new and emerging cyber threats and vulnerabilities. PCI DSS 4.0 is the latest, most comprehensive security framework to keep your payment card data safe and secure.
In 2022, payment card transactions reached a record $625 billion (USD) globally, representing an increase of 7.5% over 2021, according to research firm Statista. With this unprecedented use, personally identifiable information and payment card data is at greater risk than ever before. Resulting data breaches have generated unfavorable press for leaders in the hospitality industry and have also plagued smaller organizations.
Cybercrime is constantly evolving, and cybersecurity safeguards must keep pace across all industries to protect consumer and company data.
By regulation, you will need to adopt the v4.0 requirements before your first v4.0 security assessment. PCI DSS 4.0 imposes 64 new requirements that must be implemented by payment card industry members not later than March 31, 2025.
Although the deadline for compliance with PCI DSS 4.0 is more than a year away, this allows very little time for implementation of the 64 new security requirements and your first security assessment against v4.0. More than a year has elapsed since v4.0 was released in March of 2022, and smart merchants, third-party service providers, and card payment processors began preparing in 2022 to adopt the new requirements.
Security assessments and self-assessments currently in progress against PCI DSS 3.2.1 should be completed by March 31, 2024.
If you are due for an annual assessment, it is not too late to begin and complete a v3.2.1 assessment—provided you act quickly. Less than four months remain, and the clock is ticking.
Qualified Security Assessors, such as 24By7Security, are authorized to assist merchants, third-party service providers, and card payment processors in successfully completing their final v3.2.1 security assessments. Contact a QSA immediately for expert assistance.