PCI DSS 4.0 brings with it an extensive list of new requirements, as well as updates to existing ones.
Of the 63 new requirements, 13 must be met by the first deadline of March 31, 2024, with the remaining 50 enforceable on March 31, 2025. While the first 13 will require low effort, many of the new requirements are considered high effort, which could take up to a year to implement, resulting in significant resources and time to address.
Despite the lift (and the deadline), education and execution remain low. As reported in The State of Enterprise Readiness for PCI DSS 4.0, most organizations don’t have a strong understanding of all the requirements and have yet to begin executing on the changes.
In fact, fewer than a third (31%) of surveyed payment data security professionals have a strong understanding of all requirements associated with PCI DSS 4.0, and nearly half (49%) indicate their organizations have yet to begin executing on PCI DSS 4.0 changes.
Getting Started with PCI v4.0
PCI DSS 4.0 impacts a variety of business functions and operations, so internal alignment is a logical starting point for enterprises. Getting the right stakeholders to formulate and execute on changes of this magnitude will require in-house orchestration.
“Logical stakeholders include executive roles that are technology-focused (CIO, CISO, CTO), compliance-oriented (chief compliance officer, chief risk officer, head of legal), in relevant functions (VPs of finance, IT, procurement, governance/risk/compliance), and overseeing payments strategy (head/VP of payments) and execution (software developer/engineer, PCI coordinator). Enterprises need employees who can conduct self-assessments, create plans and implement playbooks to reach minimum requirements, as well as determine strategic opportunities to differentiate, such as by streamlining steps that may result in customer friction.” – page 8.
Given the extent of the requirements, most enterprises are not equipped to take on PCI DSS 4.0 alone. Partnerships will play an important role in v4.0 adoption, the report finds, as 86% of respondents indicated that their organization will solely or mostly rely on 3rd-party vendors for PCI DSS 4.0 compliance in some capacity.
Merchant Risk Council’s recent article on PCI DSS 4.0 concurs, stating that the best place to start on the roadmap to adoption is at the beginning – using a trusted advisor.
“Read the standard, understand the basics, and use the resources you have internally. Unless your organization has an Internal Security Assessor (ISA) on staff, you will want to engage a trusted advisor that can help leverage previous PCI assessments and navigate the new requirements. You want someone who is going to be completely honest with you and tell you things that you might not be excited about hearing. This individual will need to understand risk, put security first and then apply both to how your organization approaches compliance. By determining which best practices put your organization at risk, your trusted advisor can help reduce many of the risks and leverage this compliance standard in a way that will increase your business value.” Dan Fritsche
Fritsche also recommends doing gap assessments within your environment to understand the current controls and if there are any gaps to the new requirements.
Bluefin a participating organization (PO) of the PCI SSC and strong proponent of the PCI DSS, provides steps on how best to prepare as well as frequently asked questions on PCI DSS compliance.