How Are Small Businesses Addressing PCI DSS 4.0?

PCI DSS 4.0 featured

PCI DSS 4.0 is public and rolling out. Fortunately for most organizations, adopting the new requirements isn’t an all-or-nothing proposition as of July 2022. However, it’s quickly becoming apparent that businesses large and small must address the new PCI standards sooner, rather than later. This presents a few challenges and opportunities for small businesses. 

Here we’ll discuss what’s coming down the pipeline for PCI DSS as it relates to small businesses that may handle consumer credit information. While the standard is the same no matter the business size, the impact of the new standards will hit differently for SMBs. 


What Is the PCI DSS 4.0 Update?

The PCI DSS 4.0 revision has updated hundreds of aspects of the previous 3.2.1 version. In most cases, line-item changes are too fine a point for anyone but auditors and advanced, IT-focused companies. 

For a small business that’s just trying to leverage technology to keep them competitive in a modern, digital marketplace, it’s just not going to provide real value to comb through all those changes. 

However, some significant updates are incredibly important to understand:

  • Flexible Validation Standards: The previous version of PCI allowed for a more “interpretive” approach to validation, tied to a company’s ability to justify and implement specialized IT systems that meet the spirit of the requirements without being exactly what is asked for. These criteria can benefit advanced companies or SMBs with innovative and distinctive infrastructures. However, many SMBs will benefit from following more specific and explicit criteria. 
  • Updates for the 12 Criteria: Speaking of the core criteria–there have been significant updates to each criterion, primarily around expanding security measures like encryption and codifying best practices. 
  • Emphasis on Cloud: Many security measures and best practices that have been changed between 3.2.1 and 4.0 involve cloud security. This includes ensuring that cloud vendor relationships are secure and that cardholder data remains safe as it moves between cloud providers, merchants, and customers.
  • Increased Emphasis on Authentication Security: PCI DSS increases the security necessary for authentication. Specifically, this standard calls for implementing MFA on all systems with personal account numbers (PAN). This includes heightened authentication security for employees that access these systems for development or maintenance purposes. 
  • Inclusion of Risk Requirements: Risk management was a suggested but not mandatory practice for merchants and processors in version 3.2.1. In 4.0, the PCI security council is mobilizing strict requirements around a company’s ability to conduct risk assessments and use them to develop their security practices. 


Basic Timeline of PCI DSS 4.0 Adoption


Fortunately, the rollout of the PCI DSS 4.0 revision has been created with the notion that businesses large and small should be able to implement the new changes at a reasonable pace. 

The official version 4.0 documents were released in the second quarter of 2022. This publication was followed by PCI DSS auditors’ support and training documents. 

However, version 3.2.1 is still in effect and will not be retired until Q1 of 2024. That means companies still compliant with 3.2.1 will not face penalties for not meeting version 4.0 standards. However, by the end of March 2024, this will no longer be the case. 

Some requirements have been “future dated” or designated as complex enough to need more time to integrate across the retail and merchant markets. Organizations have until the end of Q1 2025 to fully comply with these requirements.


How Can a Small Business Prepare for PCI 4.0?

While there is a significant buffer between versions 3.2.1 and 4.0, there is no excuse to drag your feet on planning your transition. With that in mind, there are several things to consider when preparing for that change: 

  • Download and Digest Guidelines: While the PCI DSS regulations are dense and technical, they are also freely available to the public. There is no reason not to have a copy of the latest version stored and ready for internal IT reference and self-directed assessments. 
  • Cultivate a Culture of Security: The move from 3.2.1 is punctuated by a much more modern approach to digital security, including MFA, advanced encryption, and more stringent safety and organizational practices. You must prepare your people to adhere to these standards and understand why they are doing it. Furthermore, it must be said that employees without any experience working with private data don’t understand the necessity of maintaining compliance standards, and it is up to you to instill that discipline into your business practices. 
  • Survey and Document Project Scope: PCI DSS requires you to inventory all systems that will come into contact with private cardholder systems. More importantly, by understanding the project’s scope, you can better understand the people, processes, and policies that will play a role in your security and compliance operations. 
  • Focus on Authentication for Any Relevant Systems: In previous versions, authentication security was often focused on external systems. Modern updates also call for MFA-enabled authentication for internal users at any access point where PANs are accessible. Furthermore, there should be user and system-level event logging throughout. 
  • Get Serious About Risk Assessment: Risk is a significant focus for the PCI DSS 4.0 standard, but more importantly, risk management is quickly becoming the baseline for security across the board. Start to work with what it means to conduct a risk assessment, from comparing existing systems to current threats and requirements and measuring acceptable risk against business and security goals.
  • Work with Security Experts: If you’re a small business, you can’t possibly be expected to navigate complex security issues alone. In a world where service providers are the norm, you shouldn’t shy from working with a security firm that understands the challenges of PCI DSS assessments and ongoing maintenance. 

Prepare for PCI DSS 4.0 with Lazarus Alliance

PCI DSS 4.0 isn’t in full effect yet. But, you don’t want to be one of those businesses scrambling at the deadline to catch up at the last minute.

Working with Lazarus Alliance, you can harness decades of experience with advanced security regulations and PCI DSS assessments to guide you towards a successful version 4.0 update.


Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

Lazarus Alliance