The clock is ticking on PCI DSS v3.2.1. On 31 March 2024, PCI DSS v3.2.1 will be retired, making the transition to PCI DSS v4.0 essential for organizations involved in payment data security. To help with this transition, PCI SSC has identified eight steps you should take on your journey to PCI DSS v4.0.
Step #1: Start Now
The most important step in your organization’s journey to PCI DSS v4.0 is to start now. The PCI DSS v3.2.1 retirement date is quickly approaching and will be here before you know it. The sooner you understand what PCI DSS v4.0 means for your organization, the sooner you can start planning and prioritizing the work to ensure a smooth and efficient transition.
Step #2: Stay Strong
As your organization starts implementing changes to meet PCI DSS v4.0, it is important to not let any v3.2.1 security controls slip. Continue to maintain and monitor all your existing PCI DSS security controls, even though your focus might be on implementing new requirements for version 4.0.
If your organization is new to PCI DSS, consider using the defined approach for version 4.0 as it provides specific directions on how to meet security objectives. Even if you’re familiar with PCI DSS, the defined requirements and testing procedures may offer a clearer transition path for your organization than the customized approach.
By taking the necessary steps to remain vigilant with your security controls while preparing for v4.0, your organization can stay strong during its journey to meet the latest version of the Standard.
Step #3: Understand the Requirements
When it comes to understanding the changes in PCI DSS v4.0, the best place to start is by reading the PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes. Located in the PCI SSC Document Library, this document provides a valuable summary and descriptions of the changes between PCI DSS v3.2.1 and v4.0. It also includes a Summary of New Requirements table that lists all the new requirements along with their applicability and effective dates.
In addition to the Summary of Changes, there is a lot of new and expanded guidance to be found within the Standard itself. This additional guidance helps to provide a clearer understanding of the requirements, as well as explaining the new concepts introduced in PCI DSS v4.0, such as Targeted Risk Analyses and Network Security Controls.
Organizations that use Self-Assessment Questionnaires (SAQs) should also read the Standard, as the detailed guidance provided for each requirement is not included in the SAQ documents. There have also been updates within the SAQs, and it is important that self-assessing entities read their corresponding SAQ to understand the full scope of changes.
Once you understand the version 4.0 requirements, map them against your current security controls and analyze the impact the changes may have on your organization. You might find that you already meet some of the v4.0 requirements, so you can prioritize your transition efforts where they are most needed.
By thoroughly familiarizing yourself with the changes in PCI DSS v4.0, your organization will be better prepared to complete a smooth and efficient transition.
Step #4: Choose the Right Validation
When transitioning to PCI DSS v4.0, consider which validation approach is right for your organization. There are two options: the defined approach and the customized approach. The defined approach follows the traditional method for implementing and validating PCI DSS requirements, using the requirements and testing procedures stated within the Standard. The customized approach allows organizations to design custom security controls that can be used to meet the requirement’s customized approach objective. If you are considering the customized approach, be sure you thoroughly understand what is required, and verify that your implementation meets the additional risk analysis and documentation requirements before attempting a customized approach validation.
For organizations using compensating controls to meet a requirement in v3.2.1, review the updated requirements and validation options in v4.0 to determine the best approach.
Ultimately, selecting the right validation approach will depend on your organization’s security strategy and approach to risk management. Carefully consider both options to ensure that you choose the right approach for your organization.
For more information on the customized approach, read the Customized Approach blog series and watch Kandyce Young answer stakeholder questions in this “Questions with the Council” video.
Step #5: Do the Work
When doing the work, be sure to get everyone involved. Communicate your transition plan across all departments and functions, ensuring that everyone knows their role and what to expect. Clearly define roles and responsibilities for each requirement.
Effective project management is critical to a successful transition. This includes maintaining accurate project plans, defining achievable and timely milestones, and continually tracking your progress.
Finally, document everything. Establish policies and procedures to support ongoing and consistent implementation of security controls. There are also some new documentation requirements in PCI DSS v4.0 that you might need to address.
Step #6: Use Trusted Partners
It’s essential to educate and train your staff about their role in keeping your data secure and meeting PCI DSS. Identify any skills gaps and train your teams in any new technologies you are implementing. This is especially true for small businesses, where every team member will need to be trained and made aware of their role in the transition.
When implementing security controls, partner with a trusted security team. Utilize qualified professionals such as Payment Card Industry Professionals (PCIPs), Internal Security Assessors (ISAs) and Qualified Security Assessors (QSAs). These qualified individuals can support the consistent and proper application of PCI DSS controls.
Use technologies and solutions that have been tested and validated against security standards for the protection of payment data. PCI SSC maintains listings of products and solutions validated to PCI SSC standards, including Point-to-Point Encryption (P2PE) Solutions, Validated Payment Software, and Approved PTS Devices.
Step #7: Do Your Own Assessments
The best way to prepare for a PCI DSS assessment is to do your own assessments. Preparing for an assessment should begin as soon as possible; the more time invested in preparation, the more efficient and successful your assessment will be.
Performing gap assessments early and often will help you identify the areas you need to work on. Early planning is key to being able to address any gaps before a formal validation is required.
Regular testing will also confirm whether your new or updated security controls are implemented across all your in-scope systems and areas.
Finally, it’s important to establish open lines of communication with the assessment team prior to the assessment. This can help ensure that all documentation is ready and that any questions are answered prior to the assessment taking place.
Step #8: Prioritize Security as a Continuous Process
PCI DSS v4.0 is designed to support long-term, continuous processes to protect payment data. The additional flexibility provided in PCI DSS v4.0 allows organizations to choose security controls most suited to their business and security needs. Organizations focused on maintaining PCI DSS security controls year-round can more readily avoid recurring cycles of short-term compliance followed by security lapses and short-term remediation each time they have an assessment.
Regular staff training and awareness sessions should be conducted to help employees understand the importance of PCI DSS and the role they play in keeping the organization’s payment data secure. Building security into business-as-usual practices and engraining them as part of organizational culture will help ensure that, if control failures occur, it can be quickly detected, reported, and corrected.
By focusing on security as a continuous process, organizations will have greater assurance in their PCI DSS v4.0 implementations and reduce the risk of security incidents and breaches.
Additional Resources
Additional PCI DSS v4.0 resources are available through the PCI DSS Resource Hub. Organizations can also subscribe to the PCI Perspectives Blog to stay informed of updates coming from PCI SSC.