Blog | 24By7Security

PCI DSS Compliance FAQs: Why a Final v3.2.1 Security Assessment Makes Sense for Many PCI Members

Written by Sanjay Deo | December, 12 2023

Payment card industry members currently have the option of assessing v3.2.1 or v4.0 to maintain compliance. These FAQs will help you decide.

How often do I need a PCI DSS assessment?

Annual security assessments enable payment card industry members to demonstrate that they have implemented the security requirements that apply to them, thus proving their compliance. The payment card industry requires assessments every year. It also requires vulnerability tests every 90 days for larger merchants.

Does my small store require a security assessment?

According to the PCI DSS website, “PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protection, which can help reduce their PCI DSS compliance effort.

“Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or their payment brand.” 

In most cases, if you have not completed an assessment in 12 months, you are out of compliance and need to arrange for a security assessment as soon as possible.

How long can I assess the legacy version of PCI DSS?

The legacy PCI Data Security Standard, v3.2.1, will be officially retired on March 31, 2024. If you are currently engaged in a security assessment against v3.2.1, you will need to complete that assessment by March 31, 2024.

If you have an assessment due in the next 12 months, there is still time to assess v3.2.1 by March 31, 2024, provided you get started soon. The clock is ticking!

 

What are the advantages of doing a final v3.2.1 security assessment?

PCI DSS 3.2.1 has been the prevailing standard for compliance since 2018. As such, it is well known to PCI industry members, who have been maintaining compliance with this standard for the past six years.

All of your recent annual assessments have evaluated your compliance with the requirements of v3.2.1. Conducting one more assessment against v3.2.1 will be familiar and convenient and will take less time than preparing for your first v4.0 assessment.

 

Is it possible to complete a v3.2.1 assessment by the March 2024 deadline?

Yes, it is. You already have performed a handful of these assessments in recent years, and the process will be the same. However, you need to take steps now to start the assessment, since your assessment may have to be conducted by a third-party Qualified Security Assessor if the self-assessment option is not available to you. (The ability to self-assess depends on several factors, as discussed later in this FAQ.) Contact a QSA today for guidance.

How can a Qualified Security Assessor help me?

Qualified Security Assessors (QSAs) are specifically authorized by the Payment Card Industry Security Standards Council to conduct assessments for their members and to guide them through self-assessments. Specific procedures and forms must be used to conduct and document each assessment, and QSAs are authorized to execute these procedures and forms.

As part of the countdown to compliance, an experienced QSA can also assist you in obtaining support for the security assessment from your management team. And by developing a sense of urgency within the organization, your QSA can help to smooth the assessment path and resolve any obstacles that could interfere with successful completion.

What forms do I need for my final v3.2.1 security assessment?

The primary required document is the Report on Compliance (ROC), which outlines the security posture, environment, systems, and cardholder data protection measures in place at merchant organizations.

The Self-Assessment Questionnaire (SAQ) is another example of assessment documentation. There are eight different available SAQ forms depending on very specific merchant card processing criteria.

Following is an overview of the required v3.2.1 documentation, which your QSA can assist you in completing and submitting:

  • Level 1 Merchants – ROC and Quarterly External Vulnerability Scans
  • Level 2 Merchants – ROC, or appropriate Self-Assessment Questionnaire (SAQ), and Quarterly External Vulnerability Scans (depending on card brand requirements)
  • Level 3 Merchants – Appropriate SAQ and Quarterly External Vulnerability Scans

What other services can I obtain from a Qualified Security Assessor?

QSAs are able to assist members of the payment card industry with all of the required assessment activities. These include, but are not limited to, reviewing cardholder data storage locations and formats, and access controls. Reviewing existing agreements, documentation, and operating policies and procedures. Assisting in use of the Prioritized Approach Tool and Self-Assessment Questionnaire, as applicable. Conducting network vulnerability scans, training developers in secure programming techniques, and providing security awareness training with specific emphasis on data privacy and management of cardholder data.

Importantly, QSAs can also assist with remediation of compliance gaps, provide validation and certification of PCI DSS compliance once all requirements are met, and assist in preparing the Report on Compliance (ROC) and the Attestation of Compliance (AOC) to complete your annual security assessment.

24By7Security is an experienced QSA and, as such, can readily assist you with these and other activities required by your v3.2.1 assessment. We are also an authorized v4.0 QSA.

What are the primary steps of my PCI DSS 3.2.1 assessment?

There are five main steps in your v3.2.1 assessment, as follows:

  1. Your Qualified Security Assessor conducts your security assessment against the requirements of v3.2.1, which has been the standard since 2018 and will be retired on March 31, 2024.
  2. Your QSA completes the Report on Compliance (ROC) summarizing their findings.
  3. As the client, you will execute the Attestation of Compliance (AOC) attesting that the report is valid, and your organization is in compliance with v3.2.1.
  4. The signed ROC and AOC are then submitted to your acquiring bank for review.
  5. Assuming the bank accepts your documentation, the bank will forward it for further review to the payment brands whose cards you accept (i.e., Amex, MasterCard, Visa, etc.).

Your organization will continue to conduct business as usual until you hear back from your merchant bank or payment card brand(s).

How do I start my final v3.2.1 self-assessment?

Begin by reviewing the list of criteria for each of the eight available Self-Assessment Questionnaires (SAQs). Then, select the SAQ that best describes your organization. The PCI DSS website provides detailed information to assist you, as does this article on SAQs.

Why did the security standard change from v3.2.1 to v4.0?

The Payment Card Industry updates its Data Security Standard periodically in light of new and emerging cyber threats and vulnerabilities. PCI DSS 4.0 is the latest, most comprehensive security framework to keep your payment card data safe and secure.

In 2022, payment card transactions reached a record $625 billion (USD) globally, representing an increase of 7.5% over 2021, according to research firm Statista. With this unprecedented use, personally identifiable information and payment card data is at greater risk than ever before. Resulting data breaches have generated unfavorable press for leaders in the hospitality industry and have also plagued smaller organizations.

Cybercrime is constantly evolving, and cybersecurity safeguards must keep pace across all industries to protect consumer and company data.

When should payment card industry members adopt v4.0?

By regulation, you will need to adopt the v4.0 requirements before your first v4.0 security assessment. PCI DSS 4.0 imposes 64 new requirements that must be implemented by payment card industry members not later than March 31, 2025.

Although the deadline for compliance with PCI DSS 4.0 is more than a year away, this allows very little time for implementation of the 64 new security requirements and your first security assessment against v4.0. More than a year has elapsed since v4.0 was released in March of 2022, and smart merchants, third-party service providers, and card payment processors began preparing in 2022 to adopt the new requirements.

 

What should I do now?

Security assessments and self-assessments currently in progress against PCI DSS 3.2.1 should be completed by March 31, 2024.

If you are due for an annual assessment, it is not too late to begin and complete a v3.2.1 assessment—provided you act quickly. Less than four months remain, and the clock is ticking.

Qualified Security Assessors, such as 24By7Security, are authorized to assist merchants, third-party service providers, and card payment processors in successfully completing their final v3.2.1 security assessments. Contact a QSA immediately for expert assistance.