In just under a year’s time, organizations will have had to comply with several new requirements under version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS).
About PCI DSS
PCI DSS comprises 12 requirements to protect payment card data and has changed very little in the last ten years. But following three years of consultation, it has now undergone a substantial overhaul.
The latest version – 4.0 – was released in March 2022 and currently co-exists with version 3.2.1. It features 63 changes, 13 of which become mandatory in April 2024 when v3.2.1 is retired, with organizations required to fully comply with all the changes by March 2025.
V4.0 places much more emphasis on putting in place processes that are maintained as part of the business-as-usual culture, rather than with the objective of passing an annual assessment, according to the Verizon 2022 Payment Security Report. But what do the new requirements mean in practice and how can businesses begin to make the transition?
Adapting to new technology
PCI DSS 4.0 features four major changes:
The terminology has been updated with respect to network security controls to support a broader range of technologies that can be used to meet the security objectives traditionally met by firewalls
This reflects a move away from traditional server-based and parameterized networks towards distributed architectures, such as cloud and serverless technologies as well as zero trust network architecture (ZTNA) and sees the standard seek to accommodate the control mechanisms specific these new environments, supporting payments via mobile and the IoT, for instance. That said, the standard has always gone to great pains to remain technology neutral, so the aim here is to be all-encompassing while moving with the times.