5 min read

What is PCI DSS v4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard that establishes adequate operational and technical criteria for account data protection. The next evolution of the standard PCI DSS v4.0 was released on March 31, 2022.

The latest revision of the PCI standard, PCI DSS v4.0, significantly changes the criteria while emphasizing ongoing security and including new approaches to comply with them. PCI DSS v4.0 replaces the PCI DSS version 3.2.1 to handle emerging threats and technologies strategically, offer innovative approaches for combating growing threats, and secure other elements in the payment ecosystem.

All organizations that manage, store, transmit, or process Sensitive Authentication Data (SAD) and/or Cardholder Data (CHD) or have the potential to compromise the security of the Cardholder Data Environment (CDE) are required to comply with PCI DSS. This covers all organizations that process credit card accounts, such as issuers, acquirers, merchants, processors, and other service providers.

The PCI DSS v3.2.1 will be in use for two years after the release of PCI DSS v4.0 on March 31, 2022. The goal of the transition period, which runs from March 31, 2022, to March 31, 2024, is to provide organizations adequate time to acquaint themselves with the PCI DSS v4.0 updates, update their reporting templates, and forms, and plan and implement those updates. Some rules go into effect immediately, but the majority do not take effect until March 31, 2025, giving organizations a full year to implement the challenging ones.

What’s New in PCI DSS v4.0?

The PCI DSS v4.0 updates intend to address the ever-evolving security requirements of the payments industry, promote security as a continuous process, boost flexibility, and enhance procedures for organizations employing various security-related approaches.

The PCI SSC released PCI DSS 4.0 on March 31, 2022, and introduced sixty-four new requirements that organizations need to comply with if applicable to their environments. As with any major compliance framework update, organizations should take a proactive approach between the standard release and its effective date.

The mandates defined under the new PCI DSS take effect in three stages. The first is for thirteen new requirements effective immediately for any PCI DSS 4.0 Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) validation assessment completed since the release of the new standard. The second is after March 31, 2024, when the current version of the standard PCI DSS 3.2.1 retires. All assessments completed on or after April 1, 2024, will need to be under PCI DSS 4.0. Finally, the remaining fifty-one new requirements are best practices until March 31, 2025, and are required to be in place on April 1, 2025. For a comprehensive view, please refer the Summary of Changes from PCI DSS v3.2.1 to v4.0, found in the PCI SSC Document Library.

As you consider these changes, be sure to take action. At Netsurion, we assist with network security while ensuring that you adhere to all regulations to keep your company PCI compliant, yes, even with the most recent changes. Give this to us to handle for you.