According to the 2020 Verizon Payment Security Report, only 27.9% of global organizations maintained full compliance with the PCI DSS in 2019 — marking the third straight year that PCI DSS compliance has declined. The report also found that only about 50% of organizations successfully test security systems and processes. This is especially concerning as we approach the holiday shopping season, and as COVID-19 continues to accelerate e-commerce and contactless payment trends. 

PCI DSS 3.2.1 is currently the gold standard for organizations handling credit card information. Organizations, regardless of size, that accept, transmit, or store payment card data must achieve compliance under the PCI DSS 3.2.1 regulations by law or risk penalties of up to $500,000 per violation. If you missed our latest post, PCI DSS Compliance Levels: A Complete Guide, we recommend taking a step back to understand in greater detail what the regulatory requirements are currently. In this post, we’ll go over expected changes for PCI DSS 4.0, slated to come into effect in mid-2021. 

PCI DSS 4.0 timeline

Following the closure of the request for comment (RFC) phase on November 30, 2019, the PCI SSC (Security Standards Council) has been developing the new DSS version to be completed by the end of this year. Based on this timeline, the slated enforcement date will come in mid-2021.

Therefore, businesses must plan ahead now. Organizations will need to accommodate budgetary changes to adapt to the new requirements and additional data management/security testing. Executing on these changes will likely require staffing changes, new tools and data discovery solutions, as well as overall organization-wide training efforts. 

When will my organization need to comply with PCI DSS 4.0? 

Once PCI DSS 4.0 is released, an extended transition period will be provided for organizations to update from PCI DSS 3.2.1 to PCI DSS 4.0. To support this transition, PCI DSS 3.2.1 will remain active for 18 months once all PCI DSS 4.0 materials — that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates — are released.

This extended period allows organizations to do a few things in preparation. It provides time to become familiar with the changes in 4.0, update reporting templates and forms, and plan for and implement necessary changes to meet the updated requirements. Upon completion of the transition period, PCI DSS 3.2.1 will be retired and 4.0 will become the only active version.

What’s changing from v3.2.1 to 4.0? 

With version 4.0, PCI DSS is evolving to support a range of evolving payment environments, technologies, and methodologies for achieving security. The ultimate goal of version 4.0 is to ensure that the standard continues to meet the ever-changing security needs of the high-risk financial services industry. PCI DSS 4.0 places greater emphasis on security as a continuous process and will promote fluid data management practices that integrate with an organization’s overall security and compliance posture. The majority of changes to many of the requirements is achieved by changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’. Other changes include: 

  • Authentication, specific consideration for the NIST MFA/password guidance
  • Broader applicability for encrypting cardholder data on trusted networks
  • Monitoring requirements to consider technology advancement 
  • Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements

Don’t wait to get ahead – ensure PCI DSS compliance

If you’re already compliant with PCI DSS 3.2.1, you’re off to a good start. But version 4.0 is expected to be even stricter than the already stringent 3.2.1. The most effective way to remain compliant or start your compliance journey is to conduct a data discovery audit. 

Ground Labs Enterprise Recon PCI solution is deeply rooted in PCI compliance and is the global leader in PCI scanning. It allows organizations to discover and remediate sensitive cardholder information as well as over 300 data types including predefined and variants that include sensitive, personal and confidential data across an organization’s entire network, both on-premise and in the cloud. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.  

PCI DSS 4.0 is coming — ensure your organization is ready for it with the help of Ground Labs. Have questions about PCI DSS 4.0 or are curious to learn more about Enterprise Recon PCI help you succeed? Schedule a demo with a PCI data discovery expert today. 

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe