The PCI Security Standards Council (PCI SSC), an independent body created by major credit card companies Visa, MasterCard, American Express, Discover, and JCB, released specifications for PCI DSS 4.0 certification on 31 March 2022.
Hold on, there’s no need to panic and start scrambling.
You have two years to familiarize yourself, plan for and implement the mandatory changes. In the meantime, your compliance with PCI DSS 3.2 is still valid and remain so till 21 March 2024.
In other words, you have till 31 March 2024 to comply with PCI DSS v.4.0.
Do I need to comply with PCI DSS?
You must comply with PCI DSS, which stands for Payment Card Industry Data Security Standard, as long as your organization accepts, processes, stores, and/or transmits credit card information and credit cardholder data.
PCI DSS compliance doesn’t apply if I don’t store credit card information, right?
No. PCI DSS compliance applies to you even if you don’t store credit card information. It just means that complying with the standard may be easier if you don’t store credit card data.
How about if I only accept debit and prepaid card payments?
Ah, yes, you still need to comply with PCI DSS. In fact, you need to comply even if you only accept prepaid card payments.
Let’s put it this way: you need to comply with PCI DSS as long as you are accepting payments from debit and prepaid cards associated with any one of the five card brands that are part of the PCI SSC, i.e. Visa, Mastercard, American Express, JCB and Discover.
How about if I only want to process a single transaction?
Yes, even if you only need to process a single card payment or have only processed a single transaction so far.
It also doesn’t matter if you accept online transactions or over the phone. As stated above, your organization needs to comply with the PCI DSS standard as long as you accept, process, store and/or transmit credit card information and credit cardholder data.
Size doesn’t matter
It doesn’t matter if you are a Small and Medium Enterprise (SME), a sole proprietorship, or an MNC with thousands of employees worldwide.
The PCI Security Standards Council defined four compliance levels based on an organization’s credit card transaction volume over a 12-month period, regardless of acceptance channel and company size.
These 4 compliance levels apply to organizations at different “Merchant Levels.”
Do I need to comply if I’ve outsourced payments to a third-party processor?
Without a doubt. However, it is generally quite easy and painless if you are using an outsourced payment provider.
Why is there an update?
The updates to PCI DSS v4.0 were necessary to meet evolving security requirements of the payment industry and are part of a continuous process to provide flexibility for improving procedures for all affected organizations to achieve their unique security objectives.
What changes do I need to take note of?
I’ve highlighted some of the primary changes below. You should refer to the summary of updates and changes in PCI DSS v4.0 at the official PCI Security Standards Council’s document library.
1. Stricter authentication controls
PCI DSS v4.0 added a new requirement to implement Multi-Factor Authentication (MFA) for all access to Cardholder Data Environments (CDE).
Password requirements under the updated standard have also been changed. Section 8.3.6 of PCI DSS 4.0 (an update from section 8.2.3 of the current standard) requires password lengths to be at least 12 characters instead of the current seven.
Section 5.4.1 in the new standard now requires organizations to have systems in place to detect and protect staff from phishing attacks.
2. Security as a continuous process
PCI DSS v4.0 requires that you assign roles and responsibilities for the following:
- Account data security
- Secure configurations
- Transmission of cardholder data
- Anti-malware
- Software development
Organizations are also expected to help and ensure that staff understands how they can implement and maintain security. In addition, PCI DSS v.40 will come with a reporting option to highlight areas for improvement and therefore provide greater transparency for reviewers.
3. Better support for payment technology innovation and flexibility for organizations to achieve security objectives
PCI DSS v4.0 does away with formal organization-wide risk assessments under section 3.4.2 in the current standard and replaces them with targeted risk analyzes which will afford organizations flexibility in the execution of risk analyses.
The updated standard also promises to give organizations options for innovative methods of achieving their security goals with a customized approach, and a new way to enforce and validate PCI DSS requirements.
4. Detailed verification and reporting options
There will be more coherence between the information contained in a compliance report and the Attestation of Compliance.
How can I comply with PCI DSS v4.0?
If you are already compliant with PCI DSS v3.2.1, you have until 24 March 2024, or about two years, to be compliant with PCI DSS v4.0.
If you need to be compliant with PCI DSS but have yet to do so, ignore PCI DSS v3.2.1 and jump straight to getting compliant with PCI DSS v4.0
Either way, two years is a really short time so today is a really good time to start updating your compliance or getting certified.
Alright, you are ready to go, determined to get this done. The next question is how?
The first thing you’ll need to do is assess which merchant level (based on transaction volume over a 12-month period) your organization falls under, similar to what you did for complying with PCI DSS v3.2.1 . Easy enough, right?
Unfortunately, not.
The thing is, each credit card brand has its own criteria to determine merchant level, and to make matters worse, all differ from the others in their level definitions and requirements for compliance validation submissions.
For example, you may be a Level 4 merchant according to Visa, but Mastercard’s classification places you squarely as a Level 2 merchant.
That means that you need to look at and understand the respective compliance validation requirements and the respective steps to take to ensure and submit proof of compliance.
It’s not a show-stopping roadblock, but the compliance journey does look daunting from the get-go!
You need a plan and, if you are like most of us, you’ll want to find one that also helps you simplify things or at least make some steps easier to climb.
How Warden’s compliance automation can help
1. We’ve mapped the rules so you don’t have to
Forget sifting through all the standards documentation, taking notes, compiling, and mapping them to a checklist. We’ve done the heavy lifting for you and mapped more than 400 rules from the PCI DSS v4.0 specification into Warden, including:
A. Build and maintain a secure network and systems
Requirement 1: Install and maintain network security controls
Requirement 2: Apply secure configurations to all system components
B. Protect account data
Requirement 3: Protect stored account data
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
C. Maintain a vulnerability management program
Requirement 6: Develop and maintain secure systems and software
D. Implement strong access control measures
Requirement 7: Restrict access to system components and cardholder data by business need-to-know
Requirement 8: Identify users and authenticate access to system components
E. Regularly monitor and test networks
Requirement 10: Log and monitor all access to system components and cardholder data
Requirement 11: Test security of systems and networks regularly
F. Maintain an information security policy
Requirement 12: Support information security with organizational policies and programs
The compliance checks for PCI DSS v4.0 on Warden are available for all supported Cloud Service Providers (CSPs): AWS, Google Cloud, Microsoft Azure, Huawei Cloud, and Alibaba Cloud.
2. Easily and quickly fix compliance violations with automated remediation
Searching Google for a fix for a compliance violation can be confusing because let’s face it, some solutions may look easy but can be complicated to execute while other solutions may not even apply to your environment.
Instead, fix yourself a cuppa, and let Warden’s auto and one-click remediation immediately take care of the misconfigurations and remove the violation for you. We also show you what was done, so you can understand and level up!
That said, you can also choose to be hands-on and use the code Playbook or manual remediation to fix the issues.
We have also built in the ability for you to customize the rules so you can map additional in-house rules to the PCI DSS security controls.
3. Customized severity flags
Not all risks are equal — some are more severe than others and that also varies from one organization to another.
Warden allows you to change the severity of flagged vulnerabilities to low, medium, or high, with an option to accept the risk, mark it as remediated, or even leave notes on the findings for your colleagues and team members.
4. Easily generate customized compliance reports
Nobody likes writing reports so this is going to be somewhat of a godsend.
Easily and quickly generate PCI DSS compliance reports. All you need to do is click on the “Generate Report” button on Warden’s rich and interactive dashboard!
See it to believe it
Many organizations have saved time and avoided potential security incidents by utilizing Warden to obtain their PCI DSS certification (read one such case studyread one such case study here).
With less than 2 years to upgrade your PCI DSS to comply with version 4.0, every minute you save is a step closer to meeting and even beating the deadline. You can easily arrange for a demo todayarrange for a demo today to see how Warden's compliance automation can help smooth your PCI DSS v4.0 compliance journey.
