With the transition to PCI DSS v4.0, learn how this will impact your organization.
The Payment Card Industry (PCI), as it’s known today, was created by five major credit card brands with the chartering of the deadline for the PCI Data Security Standard v4.0 Transition is quickly approaching.
Find out how your company may be affected by the switch to PCI DSS v4.0.
Background
Five significant credit card companies charter the PCI Security Standards Council (SSC), establishing the Payment Card Industry (PCI) as it is known today. The council is in charge of supervising the creation of many security standards, all of which are aimed at preserving credit card information. The PCI Data Security Standard is the main foundation used by companies that handle, transport, or retain cardholder data, whether they are service providers or retailers.
Security Standards Council of PCI (SSC). The council is in charge of supervising the creation of many security standards, all of which are aimed at preserving credit card information. The PCI Data Security Standard is the main foundation used by companies that handle, transport, or retain cardholder data, whether they are service providers or retailers.
Compared to its 2018 release, PCI DSS v3.2.1, the PCI DSS v4.0 represents a substantial improvement. The upgrade from version 3.2.1 to version 4.0 takes into account the most recent security threats and applies contemporary best practices to safeguard credit card information in a setting where risk is increasing every day. In the Verizon Payment Security Report for 2022, it is stated that less than half of the firms questioned kept cardholder data under sustainable control settings. Organizations must devote enough time and resources to updating their compliance processes in light of the new and improved security practices found in the framework v4.0, as well as the new reporting formats. Even while trying to meet v4.0 needs during a PCI assessment is unlikely to cause compliance concerns, failing to include new criteria might hinder compliant PCI reporting.
Dates You Should Know
The revised specifications will be made accessible immediately and will progressively come into force on April 1, 2024.
Officially defunct and no longer utilized for PCI inspections, the PCI DSS v3.2.1 expires on March 31, 2024.
From April 1, 2024, a set of new practice standards will be required and evaluated as part of any PCI DSS compliance evaluation. It comprises:
Identifying and recording the roles and duties involved in each PCI DSS activity
A thorough and recorded definition of PCI scope
Additionally, the Self-Assessment Questionnaires (SAQs) and the new v4.0 Report on Compliance (ROC) must be utilized.
All of the new PCI DSS v4.0 criteria go into effect on April 1, 2025. This gives organizations one year after v3.2.1 is retired to switch to more stringent security procedures.
Effective Compliance
Especially, because PCI DSS v4.0 introduces many new provisions, compliance with them all must be followed to the letter. To conform fully, the scope has to be clear, and documented, it has to be possible to delegate the obligations for PCI governance within the organization, and the appropriate tools and technologies for this purpose should also be provided. Practicing regular checks of BAU controls and continuous guidance by management is necessary.
Also, the combination of governing concepts, risk management, compliance systems and continuous audit functions with all the other methods are going to help the organization to become compliant with the new v4.0 version of PCI DSS.
v4.0 of the Data Security Standard is the tide that will change the direction of data security management.
Source – https://www.forvis.com/forsights/2024/02/pci-data-security-standard-v4-0-transition-deadline-is-rapidly-approaching