In March 2022, the Payment Card Industry Security Standards Council (PCI SSC) published an updated version of the Payment Card Industry Data Security Standard (PCI DSS) — version 4.0. Every organization that stores, transmits and processes cardholder data is affected by the release of PCI DSS v4.0, which will go into full effect in March 2025. Learn how these new standards will impact your business and why these updates were implemented.
What’s New with PCI DSS v4.0?
The development of PCI DSS v4.0, which will replace v3.2.1, was based on and driven by over 6000 pieces of feedback from over 200 companies to combat emerging cyberthreats. While the 12 core requirements that the PCI DSS is centered around will not fundamentally change from the previous version, the current version of PCI DSS v4.0 will add flexibility to implementation, strengthen security standards and mandate a continuous process to ensure compliance.
The several enhancements and amendments in the newest version will include the following:
- Increased security, expanded multi-factor authentication, updated password specifications and updated requirements to address phishing and security breaches.
- New requirements that support payment technology innovation and flexibility to allow different methodologies to achieve security goals.
- Updated guidance on implementing security controls and updated specifications on roles and responsibilities for each updated requirement.
- Inclusion of detailed verification and reporting options to enhance verification methods and procedures.
How to Prepare for v4.0 Compliance
Any business, merchant or organization that handles cardholder data must comply with PCI DSS requirements. While v4.0 will not be mandated until 2025, now is the time to begin the work necessary to prepare for the new standard.
Steps your organization can take to prepare for PCI DSS v4.0 compliance are:
- Review the updated requirements in v4.0 and identify criteria for achieving compliance.
- Establish a dedicated team that updates cybersecurity activities, particularly policies, procedures, technologies and staff expertise needed to comply with version 4.0.
- Remove any unnecessary data from affected systems to prevent damage or theft of the data.
- Ensure relevant systems are secure from unauthorized access from external threats.
- Examine the network perimeter to identify vulnerabilities that could result in breaches.
- Maintain ongoing monitoring and documentation of security activities.
- Review protocols for cardholder data to ensure credit card safety and availability.
- Regularly test all data security activities and update as needed. Document all tests, updates and results during audits.
Bluefin’s Encryption and Tokenization Solutions for PCI DSS Compliance
Bluefin specializes in PCI-validated point-to-point encryption (P2PE) and tokenization solutions that work in tandem to secure sensitive data, including payment information and Personally Identifiable Information (PII) and Protected Health Information (PHI), and achieve PCI DSS compliance. Our solutions provide organizations in retail, healthcare, higher education, government, nonprofit and more with flexible options to devalue all data upon intake and transit in storage.
A Participating Organization of the PCI SSC
Bluefin has been a participating organization (PO) of the PCI SSC since our inception. We are a strong proponent of the PCI DSS and, in 2014, we became the first U.S.-based company to receive PCI validation for a P2PE solution.
Today, Bluefin is the largest provider of P2PE solutions globally, with over 100 certified devices, 16 Key Injection Facilities (KIFs), 300 global partners providing our solution and the only 100% online management system for chain of custody, device tracking and attestation, the P2PE Manager®.
Our cutting-edge payment technology is a key element in the holistic approach to data security prevention. Designed to complement EMV and tokenization solutions, Bluefin’s P2PE solutions provide a solid security defense against current and future data breaches.
PCI DSS Compliance Frequently Asked Questions
What is the PCI Standard?
This PCI Standard, which is referred to fully as the PCI (Payment Card Industry) DSS (Data Security Standard), was formulated in 2006 to ensure that a comprehensive list of security standards to protect cardholder data was adopted globally. The PCI compliance certification is the certification given to an organization that meets the standards set forth in the PCI DSS.
The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with PCI DSS.
You can learn more at https://www.pcisecuritystandards.org/.
Who needs to be PCI compliant?
PCI compliance is a requirement by credit card companies for safe and secure online transactions to occur. PCI compliance ensures protection against identity theft. Merchants who process transactions and deal with sensitive credit card data are required, by the PCI Security Standard Council (SSC), to be PCI compliant.
All organizations that hold, process, or exchange cardholder information need to be PCI compliant – regardless of whether the organization does 2 transactions a year or 2 million transactions a year.
Beyond the risk of incurring significant fines and penalties in the event of a data breach, merchants and service providers who refuse to secure their systems risk losing the trust of the clients with whom they have worked so hard to build a relationship with.
What kind of PCI compliance do I need to achieve?
Depending on the annual transactional volume processed and the POS and Ecommerce systems used, organizations will have varying degrees of PCI compliance that they must achieve. This includes but is not limited to: Annual Self-Assessment Questionnaire (SAQ), Annual Attestation of Compliance, and Quarterly Scans by a third-party vendor of any outward facing IP address(s). The PCI compliance levels are as follows:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
My gateway/terminal is already PCI certified. Do I need to be PCI compliant?
Yes, having a PCI compliant terminal/ gateway is a requirement for becoming certified but is only one of several requirements. All parties involved in processing a credit card transaction need to be PCI compliant.
What is the cost for maintaining PCI compliance through Bluefin?
Costs for our Compliance Assistance Program are assessed on a monthly and/or yearly basis and vary by account size. Please contact our customer service team for your specific costs, 800-675-6573, ext. 4.