The Payment Card Industry Data Security Standard (PCI DSS) has been the bedrock of cardholder data protection since its launch in 2006. With the implementation deadline of March 31st, 2024 rapidly approaching, the standard has undergone a significant transformation since its previous version to address the evolving demands and complex nature of modern cyber threats.
The update to the standard is driven by four main objectives:
Introduction of the Customised Approach
The most significant change from PCI DSS 3.2.1 to 4.0 is the introduction of the Customized Approach. This concept allows entities to move beyond the traditional 'Defined Approach', which requires strict adherence to the technical controls as specified in the standard. Instead, with the Customized Approach, entities have the flexibility to select controls that they deem most suitable for their environment to manage associated risks. This offers greater adaptability and the ability to embrace innovative solutions. In PCI DSS v4.0, entities have the choice to use either the Defined Approach or the Customized Approach, depending on their specific needs and circumstances.
Updated and New Requirements
Alongside the Customised Approach, PCI DSS 4.0 has updated existing requirements and introduced new ones to mitigate emerging threats. Key updates include:
The Self-Assessment Questionnaires and the Report on Compliance template have been greatly expanded in levels of detail and doubled in size. Audited organizations are now under a lot more scrutiny to achieve compliance.
The transition period of 31 March 2024 provides organizations with the necessary time to transition to the new version while retaining the option to comply with the previous version, v3.2.1. Additionally, out of 64 of the new requirements, 51 are future-dated due to their complexity and/or cost of implementation. Certain requirements will be considered best practices until 31 March 2025, after which they will become mandatory.
Impact on Organisations
For organizations that are already PCI-validated, it is crucial to review the changes in PCI DSS 4.0 and begin planning for the transition. This should involve consulting with a qualified security assessor to understand the implications of the new Customized Approach and other changes.
Summary of Changes
The PCI Security Standards Council has made substantial updates to the standard, reflecting the need to stay current with the evolving threat landscape and technological advancements. These changes affect a broad spectrum of requirements and will have implications for all entities that handle cardholder data.