In this article
- On March 31, 2022, the PCI Data Security Standard (DSS) v3.2.1 was updated to v4.0.
- The new standard is not mandatory until March 31, 2024, when v3.2.1 sunsets, and some requirements won't become mandatory until March 21, 2025.
- The PCI Security Standards Council released a Summary of Changes in May 2022. The document does bullet point changes, but doesn't cover the impact changes could have.
- Learn what your business is required to do, when, and the impact these changes will bring with our free PCI v4.0 guide.
Measure the direct impact that changes in PCI DSS v4.0 will have on you and begin your roadmap today. Or, reach out with your more complex and in-depth questions.
The PCI Data Security Standard (PCI DSS) v4.0 was released on March 31, 2022, with a Summary of Changes following in May.
While the summary documents differences between PCI DSS v3.2.1 and v4.0, it doesn't explain or illustrate the real-world impact these changes could bring organizations.
To help you prepare and respond, our team of Qualified Security Assessors (QSAs) and PCI experts have gone down the line, control by control, to help set these requirements in your day-to-day context.
How soon do I have to update to PCI DSS 4.0?
Let's talk timelines.
First, the good news: there's some time to create your plan. PCI DSS v3.2.1 and PCI DSS v4.0 are valid until March 31, 2024, when the older version expires.
It's crucial that you weigh the pros and cons of updating now versus later, but we always recommend starting the transition as soon as possible. Not only will urgency increase over time, but demand for QSAs and advisors will increase, thus further increasing urgency and demand for QSAs and advisors — this vicious cycle is as old as PCI itself.
If you're a visual learner, check out this timeline issued by the PCI Council with the PCI DSS v4.0 key dates for merchants and service providers.
What do I need to know about the PCI DSS v4.0 controls?
Another reason to get started as soon as you can is the potential for complexity and effort required for your business to meet v4.0's new controls — and there are a few.
NCC Group's QSAs and payment security experts have thoroughly reviewed the initial v4.0 release and the Summary of Changes to help translate the controls into real-world situations and determine their impact.
Here's some of what you should know about PCI DSS v4.0:
- In PCI DSS v4.0, there are a total of 64 new controls.
- There are 51 brand new controls for everyone.
- Of those 51 new requirements, 13 are specifically for service providers.
- Some future-dated controls are current best practices, so they may already be in practice in your program.
Our experts agreed that some of the controls are more urgent than others, and a few more may take priority because they could represent opportunities or challenges — either way, the effort you need to exert to meet v4.0 could be significant.
Required changes include (but are not limited to):
- Different reporting options, such as customized approach and revised report layout
- Use of Targeted Risk Analysis
- Revised Password requirements
- Revisions to Authentication and Identity Management requirements
- Roles and Responsibilities
- Revisions to segmentation requirements
- Additional requirements for Certificate Management and Validation
- New controls for e-commerce and payment pages
- Increased requirements for training, including phishing
- Modifications to requirements for detecting and preventing malware attacks
- Alignment of SAQ, AOC, and ROC documentation
What impact will PCI DSS v4.0 have on my business?
We've whipped up a document that goes through each new significant PCI DSS v4.0 control compared to v3.2.1 and explains: 1. What the difference is, and 2. Potential impact for your business.
Download the document by clicking on the button below to get started assessing impact. For further investigation, planning, and PCI DSS v4.0 road mapping, reach out to one of our payment industry experts.