PCI DSS 4.0: When Does My Company Need to Be Ready?
- PCI-DSS 4.0 has been released, with version 3.2.1 to be retired.
- When should companies prepare to migrate to 4.0?
- How should companies properly plan and prepare?
PCI DSS version 4.0, originally conceived in 2019 and having processed through two unprecedented Requests for Comment (RFCs), is finally being released in March 2022. Many companies may be unsure about when to migrate to the new version. Even though it’s available, does your company need to validate under version 4.0 now, or are you still allowed to use version 3.2.1?
The Timeline
Historically, the PCI Security Standards Council (SSC) used a three-year lifecycle between versions. This allowed industry changes and feedback from council membership to be vetted and then integrated into each major release. The SSC also conducted interim updates (for example, from version 3.2 to 3.2.1) to address critical changes in the industry. Given the recent business adoption of technologies such as cloud and serverless computing, PCI DSS 4.0 has been developed to allow the standard and its requirements to evolve with current technology trends.
With each new version introduced, the SSC kept the previous version valid for 18 months prior to retirement. With version 4.0’s introduction, the existing version 3.2.1 will be valid, but is scheduled to sunset on March 31, 2024. Until that date, either PCI DSS version 3.2.1 or 4.0 can be used for assessments. With a two-year gap between release and mandatory assessment with 4.0, when does your company need to be ready? There’s plenty of time, right?
The Answer Is: It Depends
With the release of version 4.0, the standard has expanded to include new requirements for evolving technologies, with many existing requirements being updated, reworded or consolidated. Overall, the standard is adopting a new focus on strengthening security and maintaining compliance as an ongoing process. While many enterprises have adequate security controls in place to meet PCI DSS version 3.2.1, v4.0 may alter control requirements. Additional capital or operational expenditures may be required; CTOs and CISOs will need to forecast their budgets, address any additional overhead to cover these expenditures and begin planning for adoption in 2022.
Some enterprises may have sufficient risk and cybersecurity program maturity to be early 4.0 adopters. These organizations will have a robust security approach and incorporate PCI DSS controls into their technology initiatives, management and operations teams and risk and incident response (IR) programs. This maturity would allow these businesses to quickly adjust their environments to meet version 4.0.
Other enterprises manage PCI DSS controls sufficiently, but may lack the budget or personnel to quickly modify the environment to version 4.0. Budgeting, overhead, new technologies and process changes take sufficient planning and time. The need to fully understand these business challenges is the reason for the 18-month extension of the previous version. Businesses can carefully plan and incorporate the new PCI DSS requirements with minimal impact to production operations.
How Can My Company Start Planning?
The first step is to obtain a copy of the PCI DSS 4.0 standard, along with the PCI DSS v4.0 Summary of Changes. The summary maps the differences between version 3.2.1 and 4.0, and covers changes to the structure or format, clarifications, guidance, evolving requirements and new requirements. New requirements are labeled for easy identification and are described in detail within the PCI DSS 4.0 standard document. This allows executive management, information security and product teams to begin analyzing how the new requirements will impact their environment. If a qualified security assessor (QSA) is used for annual PCI assessments, reach out to them for explanation of the changes in PCI DSS version 4.0 and the impacts to current credit card handling operations.
Planning challenges include not only the budgetary requirements for new technologies and their implementation, but also focus on updated control standards, policies and procedures. The focus should also include adequate staffing, skillsets and training to address these additional challenges. These should be included in any budgetary forecasts. Internal security teams should examine and test existing security solutions, measuring them against the version 4.0 requirements and identifying any potential gaps. These teams should also consider the new version 4.0 requirements for any new planned technology initiatives, such as platform migration to the cloud or expanding use of encryption for handling cardholder data.
Early planning should illustrate the cybersecurity strengths and maturity and will provide a roadmap for version 4.0 adoption. From there, we can gauge on early adoption or eventual migration prior to March 2024.
Gloss