Does your organization do anything with credit cards? Chances are you must be Payment Card Industry (PCI) compliant in some form or fashion. PCI compliance touches financial institutions, merchants, hardware and software vendors, managed support vendors, and a variety of others. There are numerous PCI standards, which are developed by a global organization formed in 2006 by American Express, Discover, JCB International, Mastercard, and Visa known as the PCI Security Standards Council (PCI SSC). Their purpose is to provide common frameworks and standards that promote the security and interoperability of payment processing operations worldwide.
One of the Council’s most popular frameworks is the PCI Data Security Standard (PCI DSS), which is the last line of defense for cardholder data protections as they are implemented in merchant and service provider environments. PCI DSS defines security requirements that must be in place depending on how the organization interacts with cardholder data, for example, via a call center, e-commerce, retail stores, etc. The DSS focuses on how cardholder data is stored, processed, and/or transmitted by or through an entity and/or their service providers. The standard looks at both technical and operational aspects such as systems configurations, policies, procedures, formally assigned roles and responsibilities, etc.
As the version number might suggest, PCI DSS v4 is the fourth major iteration of the Data Security Standards framework and was released to the public in March 2022 after more than 8 years since the previous major v3 release. I tell my clients all the time, “PCI compliance is a lot of work”, and I mean it! But there is a lot of work that goes into developing these standards that many people don’t see either. For example, PCI SSC collaborated with over 200 companies and reviewed more than 6,000 items of feedback throughout 3 requests for comment (RFC) periods on draft content before this release. And that brings me to one of my next favorite questions and responses… when people ask, “why do I have to…”? I typically respond with a reference to a specific control and say something like, “I don’t get to make the rules, I just have to follow them”. I think that makes sense to most people, but v4 is giving us a new twist with reporting flexibility so I’m excited to see what people come up with that mitigates risks above and beyond the intent of the original control.
The biggest questions most people are asking right now: “how long do I have to get ready for v4?”, “do I have to switch to v4 now?”, “what do we need to do?”, etc. Rest assured, you have some time, but you may not have as much as you think if your organization isn’t prepared or very agile. The current version of PCI DSS, v3.2.1, will be retired on 31 March 2024 meaning all PCI DSS validations after this date must be at least PCI v4.0 compliant.
Contextual Security Solutions was co-founded by and has practice leaders that have been helping clients navigate PCI compliance requirements in complex environments since the formation of PCI DSS. We would love to help you with your PCI DSS v4 transition… please let us know how we can help.