PCI DSS is changing

The payment card industry data security standard (PCI DSS) has been upgraded to version 4.0. This marks the first significant change to the standard in over a decade. It’s a response to the evolving threats facing businesses today and places a greater emphasis on improving procedures to protect against potential risks.

What’s new in PCI DSS v4.0

As the global standard for the payments industry, PCI DSS provides a baseline of technical and operational practices designed to protect payment data. Version 4.0 incorporates many changes to keep pace with the changing threat landscape. In this article, we focus on a select few that we feel bring the biggest impact.

Improve security practices to meet evolving threats

We must adapt our security practices to stay ahead of ever-changing threats. PCI DSS v4.0 raises the standard for security practices with new requirements like:

• Expanded multi-factor authentication requirements
• Updated password requirements
• New e-commerce and phishing requirements to address ongoing threats

Promote security as a continuous process

Security’s not a single action. To be truly effective, security must be ongoing and engrained in our day-to-day business practices. PCI DSS v.4.0 helps your business achieve this with:

• Clearly assigned roles and responsibilities for each requirement
• Added guidance to help people understand how to implement and maintain security

Increase flexibility for organisations using different methods to achieve security objectives

With legacy systems and industry specific needs or restrictions, there is no one-size-fits-all security model. By increasing flexibility, PCI DSS v4.0 offers more options to achieve a requirement’s objective and supports payment technology innovation.

• Allowance of group, shared, and generic accounts
• Targeted risk analyses empower organisations to establish frequencies for performing certain activities
• Customised approach, a new method to implement and validate PCI DSS requirements, provides another option for organisations using innovative methods to achieve security objectives

Enhance validation methods and procedures

Clear validation and reporting options support transparency and granularity. PCI DSS v4.0 helps with reporting enhancements like:

• Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance

When will these changes be in place?

In March 2024, your PCI web portal account will be updated to the new standard. From that point on, you’ll report your PCI compliance with version 4.0 of the PCI DSS.