When the Payment Card Industry Security Standards Council (PCI SSC) released the last edition of the PCI Data Security Standard (DSS) 3.2.1 in 2018, businesses were operating within a payments world much different from today’s. Recognizing the rapid evolution of commerce in the last several years, the Council published an updated standard, PCI DSS 4.0, in March 2022 to better address current payment technology and security threats.
Giving businesses a three-year runway for preparation and implementation, the Council’s plan is to retire Version 3.2.1 in March 2024, and on March 31, 2025, 4.0 will officially become effective. If you haven’t started preparing for the new edition, now is the time to make a plan.
In this blog we’ll cover:
- A summary of the new PCI DSS 4.0 requirements
- How you can best prepare for the deadline
- Resources that can support you and your customers
New requirements included in PCI DSS 4.0
In the recently-released edition of the PCI security standard, there are more than 60 new requirements for businesses processing payments to comply with. While it will be critical to review each in detail and assess how your business will need to move forward, the PCI SSC has provided a Summary of Changes from PCI DSS Version 3.2.1 to Version 4.0 to help you understand the general impact.
Every new requirement or update to the standard is categorized by three change types defined by the PCI SSC:
- Evolving requirement: ‘Changes to ensure the standard is up to date with emerging threats, technologies and changes to the payment industry.’
- Clarification or guidance: ‘Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.’
- Structure or format: ‘Reorganization of content, including combining, separating, and renumbering of requirements.’
Casting a wider security net across payments to accommodate the change in trends and threats, new areas or themes of focus for the 4.0 requirements include these:
- Authentication: Authentication requirements that broaden the use of multi-factor authentication practices and increase password lengths
- E-commerce threats: Requirements addressing social engineering and phishing attacks on e-commerce
- Encryption: Best practices to protect networks from code embedded by malicious actors
- Client-side security: Enhanced security considerations for incidents that could occur on a customer’s computer (rather than on a company’s server)
- More monitoring and reporting: Emphasis on roles, responsibilities, and comprehensive documentation and reporting
- Testing frequency: Higher levels of critical control testing and overall increased testing volume
- Customization: More flexibility to choose a prescribed control or implement a custom version, as long as requirements are met
How to best prepare for new PCI requirements
The more than 60 new requirements vary in level of complexity and effort. According to Converge Technology Solutions, 25 of the requirements are considered ‘high effort’ and could take businesses a full year to implement as they may require major operational changes related to staff, technology and processes. That means the earlier you begin your planning and preparation, the better.
Every organization will need to evaluate the requirements differently, depending on the business environment and handling of payment data. Variable factors include:
- Size of the business
- Resources dedicated to compliance management
- Complexity of technology stacks
- Volume of ‘in-scope’ systems and teams
PCI scope includes any part of your business that has any involvement in the handling or storage of credit card data and can include systems, individuals, or assets. Correctly identifying your business’s full scope is critical to ensuring you don’t miss weak spots and leave areas vulnerable to attack. What’s most important as you prepare for the 4.0 deadline is that you:
- Fully assess and take time to understand the new requirements
- Group each into a level of effort according to your business
- Create a plan that utilizes a phased implementation approach to reach milestones
- Collaborate with leadership across your business to delegate requirements and ensure everyone is on the same page
The goal is to ensure you have a strong handle on what will be required of your business and follow a plan that’s realistic and manageable. For more tips, refer to these eight steps outlined by the PCI SSC for moving toward the new standard.
Resources to support you and your customers’ PCI compliance management
Once you map your available resources against the work to be done and the timeline ahead, you can determine what your path will look like as you approach the deadline. If there are gaps to be filled, you may need outside support to help you handle the new requirements.
Managing PCI compliance on your own can absorb a good deal of time and resources. The right partner can lighten the load and keep you on the right track. Backed by a team of payment security experts, Payrix is an Embedded Payments solution of Worldpay from FIS that offers secure payment acceptance, consultation, and PCI solutions that help software companies effectively maintain compliance and protect the customer experience.
Payrix is a leading PayFac®-as-a-Service partner that takes on the risk, underwriting, fraud, and PCI compliance requirements for software companies interested in payment facilitation but not yet ready to take on the full responsibilities of becoming a payment facilitator.
To help software companies keep their customers PCI compliant, Payrix and Worldpay from FIS now offer SaferPayments, payment protection solutions for businesses provided as basic or fully managed services, with features including:
- Powerful security tools
- Breach assistance
- PCI compliance management support
- Reduced PCI scope (if using point-to-point encryption)
- Always-on, expert support
To learn more about how you and your customers can best prepare for the latest PCI requirements and effectively maintain ongoing compliance, connect with us and give our demo a try.