For any organization accepting credit cards, adhering to PCI DSS standards is essential to maintaining a secure payment environment.
The PCI DSS v4.0 standard – its requirements and the transition time for implementation ending March 31, 2024 – is discussed in the world of payments almost daily, making it impossible for organizations to ignore that the planning for adoption should be well underway.
Regardless of where each organization stands in this process, most can attest that the rapid, ever-evolving world of e-commerce has brought with it the need for more stringent requirements.
“Much has changed since the preceding version of the standard, 3.2.1, was published back in 2018. Fueled by the pandemic, online transactions and the use of point-of-sale (POS) machines have sky-rocketed, technology has evolved, and cloud platforms are used extensively for storing cardholder data. Attackers have also advanced their tactics targeting the payments industry.” Dark Reading.
With these changes, PCI DSS has set the bar higher with the v4.0 standard, adding flexibility to implementation, strengthening security standards, and mandating a continuous process to ensure compliance.
At Bluefin, we have provided updates highlighting the enhancements and amendments in the PCI DSS v4.0 standard and the steps your organization can take to prepare for PCI DSS v4.0 compliance. These updates are created by the authoritative source in payment data protection- the PCI Security Standards Council (PCI SSC) – which offer a dedicated PCI DSS 4.0 Resource Hub that helps organizations become familiar with v4.0.
At the beginning of 2023, the PCI SSC introduced their video series, Questions with the Council, as an additional resource where organizations can ask questions to council members regarding all things v4.0. February’s edition, featuring Emma Sutcliffe, SVP Standards, PCI SSC, not only provided organizations with a starting point for transitioning to v.4.0, but also recommendations and resources to guide organizations through the entire process. Some of the questions within this series include:
Q: What are the first steps organizations should take when transitioning from v3.2.1 to v4.0?
A: Sutcliffe gets straight to the point. “Don’t put it off. Begin now.” She explains that with v4.0, there is a lot of new information and specific requirements each organization will need to be aware of, citing two resources to get started.
PCI DSS Summary of Changes – The summary details the v4.0 standard and provides a complete list of requirements with effective dates.
PCI DSS Requirements and Testing Procedures v4.0 Glossary. Located in Appendix G of the 4.0 standard, the glossary provides a list of terms, abbreviations, and acronyms that helps organizations understand how they apply to them.
Q: Can you discuss the transition timeline from v3.2.1 to v4.0?
A: There are two key dates in the timeline. On March 31, 2024, v3.2.1 will be retired, and v4.0 will be the only active version. This transition period allows for organizations to become familiar with the changes and plan accordingly to implement changes and meet the updated requirements.
Organizations with specific questions about their implementation and compliance obligations should contact their acquirer or payment brand – whoever you report your compliance – to help your organization with timelines as well as when v4.0 will apply to your organization. As of March 31, 2025, the best practices listed within v4.0 will become requirements.
Both dates are published on the PCI SSC website within the PCI Perspectives blog.
Q: The new standard lists several requirements as “best practices” effective with the release of the standard. How should organizations look at beginning to implement these practices while still focusing on 3.2.1 security implementations?
A: This is where the timeline is critical. Best practices for v4.0 will become requirements on March 31, 2025, so it is very important to start looking at that best practices now and how you are going to implement them.
Implementation is also where qualified assessors can be of great service. The PCI SSC has transition training for their assessor community and organizations can look on the website for Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs) who have completed the transition training. If you have internal assessors, there is training for them as well for v4.0.
Sutcliffe also recommends that organizations do gap assessments within their environment to understand what the current controls are and if there are any gaps to the new requirements that are coming in 2025.
Bluefin – PCI DSS Compliance
Bluefin, a participating organization (PO) of the PCI SSC since our inception, is a strong proponent of the PCI DSS. In 2014, we became the first U.S.-based company to receive PCI validation for a P2PE solution. We secure point-of-sale (POS) payments with the highest level of security available P2PE and tokenization solutions.