March 2022 forever changed the compliance landscape for all time. PCI DSS 4.0 was launched, the world was ushered into an era of bliss.
Ok, seriously, bliss and compliance frameworks are, for most, not even in the same solar system. But, PCI DSS 4.0 is here and, for those of you with reporting requirements by one of the 5 Brands, it’s life, so here we are.
Now that the Council has put out documentation concerning 4.0, what it entails, and it’s timeline, let’s take a few moments to dive into when you can be expected to report using the new Data Security Standard 4.0 model.
The PCI DSS 4.0 Timeline
The Council has provided a helpful graph to give a 30,000 foot view of implementation timeline, which I have posted a snippet of below:
Let’s break this down.
- Q1 2022 – PCI DSS 4.0 Release. Pretty simple. Bliss and happiness. We got it.
- Q2 2022 – Auditor training. Auditors are made aware of, and trained for, specifics of assessing PCI DSS 4.0 clients.
- 31st March 2024 – Clients can no longer certify their organization using PCI DSS 3.2.1 on or after this date. All ROC’s and SAQ’s using 3.2.1 need to be completed before that date.
- 31st March 2025 – Clients are required to certify against new, future-dated requirements. (More on this later)
Notice the turquoise bar below, which outlines the 2-year period of implementation from Q1 2022 through Q1 2024. During this time, clients will be able to complete SAQ’s and ROC’s using PCI DSS 3.2.1 while working toward the larger goal of helping align their environments with PCI DSS 4.0 requirements.
Finally, notice the blue bar at the bottom, which concerns the implementation of future-dated and new requirements. Well, here is an example from the summary of changes:
As stated in the above control, clients must define the frequency of how often they evaluate non-mainstream components (such as Unix/Linux systems) in their risk assessment. This requirement, added onto 3.2.1’s requirements from 5.x controls, will not be required until that 2025, March 31st date, which will allow entities time to perform a yearly risk assessment and bring this into their evaluative scope.
However, other requirements, such as 5.1.2 above, will be required upon an entity’s first audit with PCI DSS 4.0. As such, these are requirements that will be critical for merchants and service providers to look at in the next two years to be properly prepared for their first 4.0 assessment.
Changes and New Requirements
Here’s a point you may have not heard: Based on the Summary of Changes document provided by the council, PCI DSS 4.0 adds sixty-four (64) new requirements across all control families. Yep, depending on your merchant status, or Cardholder Data Scope, you could have up to 64 new controls to look at, and that’s not even considering the innovative approaches entities can take as debuted in the new 4.0 methodology! Finally, there are 21 pages of changes from 3.2.1 controls to 4.0! That’s a lot to keep up with!
Feeling a little overwhelmed? If so, most of the community agrees. While the changes made to 4.0 have a goal of ultimately better protecting our cardholder data, they won’t come without some heavy lifting.
If you have further questions or are interested to see how your company fares against 4.0 today, reach out and we would be happy to discuss with you further.