According to the 2020 Verizon Payment Security Report, only 27.9% of global organizations maintained full compliance with the PCI DSS in 2019 — marking the third straight year that PCI DSS compliance has declined. The report also found that only about 50% of organizations successfully test security systems and processes. This is especially concerning as we continue to adapt to the acceleration of e-commerce and contactless payment trends.
PCI DSS 3.2.1 is currently the gold standard for organizations handling credit card information. Organizations, regardless of size, that accept, transmit, or store payment card data must achieve compliance under the PCI DSS 3.2.1 regulations by law or risk penalties of up to $500,000 per violation. If you missed our latest post, PCI DSS Compliance Levels: A Complete Guide, we recommend taking a step back to understand in greater detail what the regulatory requirements are currently. In this blog, we’ll go over expected changes for PCI DSS 4.0, slated to come into effect in mid-2021.
PCI DSS 4.0 release date & timeline
According to the PCI SSC (Security Standards Council), the expected release date of PCI DSS 4.0 is Q1 2022. Based on this timeline, the slated enforcement date is still pending but historically comes within two quarters of the standard’s release.
Therefore, businesses must plan how they will maintain compliance now. Organizations will need to accommodate budgetary changes to adapt to the new requirements and additional data management/security testing. Executing on these changes will likely require staffing changes, new tools and data discovery solutions, as well as overall organization-wide training efforts.
When will my organization need to comply with PCI DSS 4.0?
Once PCI DSS 4.0 is released, an extended transition period will be provided for organizations to update from PCI DSS 3.2.1 to PCI DSS 4.0. To support this transition, PCI DSS 3.2.1 will remain active for 18 months once all PCI DSS 4.0 materials — that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates — are released.
This extended period allows organizations to do a few things in preparation. It provides time to become familiar with the changes in PCI DSS 4.0, update reporting templates and forms, and plan for and implement necessary changes to meet the updated requirements. Upon completion of the transition period, PCI DSS 3.2.1 will be retired and 4.0 will become the only active version.
PCI DSS 4.0 Changes
With version 4.0, PCI DSS is evolving to support a range of evolving payment environments, technologies, and methodologies for achieving security. The ultimate goal of PCI compliance 4.0 is to ensure that the standard continues to meet the ever-changing security needs of the high-risk financial services industry. PCI DSS 4.0 places greater emphasis on security as a continuous process and will promote fluid data management practices that integrate with an organization’s overall security and compliance posture. The majority of changes to many of the requirements is achieved by changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’. Other changes may include:
- Authentication – in order to reflect the latest industry best practices for password and multi-factor authentication.
- Encryption – including broader applicability for cardholder data on trusted networks and a need for a data discovery process.
- Monitoring – regarding requirements, regarding cardholder data environments, and taking into consideration recent technology advancement.
- Testing of critical controls – in greater frequency and perhaps incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements
Don’t wait – ensure PCI DSS 4.0 compliance now
If you’re already compliant with PCI DSS 3.2.1, you’re off to a good start. But version 4.0 is expected to be even stricter than the already stringent 3.2.1. The most effective way to remain compliant or start your compliance journey is to conduct a data discovery audit.
Ground Labs Enterprise Recon PCI solution is deeply rooted in PCI compliance and is the global leader in PCI scanning. It allows organizations to discover and remediate sensitive cardholder information as well as over 300 data types including predefined and variants that include sensitive, personal and confidential data across an organization’s entire network, both on-premise and in the cloud. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.
PCI DSS 4.0 is coming — ensure your organization is ready for it with the help of Ground Labs. Have questions about PCI DSS 4.0 or are curious to learn more about Enterprise Recon PCI help you succeed? Schedule a demo with a PCI data discovery expert today.