Timeline for PCI DSS 4.0 Compliance – First Steps
As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0.
This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your IT infrastructure and the impact of the regulations on how you can use it, you can start to get your feet wet with the new standards and some of the curveballs they might throw at you.
What Is PCI DSS 4.0?
Not to get bogged down in the specifics, PCI DSS 4.0 is the latest update to the PCI DSS standard that has been long in the works. After a few timeline adjustments over the past few years, we’re finally moving past the older version 3.2.1 for a more modern set of standards that can address new technologies like cloud-driven eCommerce and mobile device security.
Some of the major changes in PCI DSS 4.0 include:
- Widespread Updates to Requirements: The core 12 requirements of PCI compliance have seen a broad update, including changed standards on encryption, key management, authentication, and data handling. The entire set of changes is beyond the scope of this article, but these changes are pushing for more flexible and effective security controls around common buying scenarios online.
- Customized Validation: Enterprise organizations with highly unique infrastructure can meet the spirit of the requirements through a personalized approach to validation, coordinated with their auditor and the guidelines in the new 4.0 standard.
- Emphasis on Risk Assessment: Many security regulations and frameworks are turning to risk-based approaches that promote comprehensive security and system knowledge over checklist approaches to compliance. PCI DSS 4.0 and the turn to risk management are pushing businesses to integrate risk assessment as part of a more comprehensive and effective security approach.
Many of these changes are layered; some are immediate requirements for version 4.0 certification, and others are considered best practices until their full implementation later.
Timeline for PCI DSS 4.0 as of Third Quarter 2022
The basic timeline for PCI DSS 4.0 right now is relatively straightforward but sets a horizon for the setting sun on version 3.2.1:
- PCI DSS Released (Q1 2022): The full version of PCI DSS 4.0 was released in March 2022.
- ISA/QSA Training and Supporting Documents Released (Q2 2022): Soon after, training and preparatory documents for Internal Security Assessors (ISAs) and Qualified Security Assessors (QSAs) to conduct audits for organizations.
- Version 3.2.1 Retired (Q1 2024): Businesses have roughly two years to finalize their initial switch to version 4.0 (or, at least, for the baseline requirements), before version 3.2.1 is officially retired by March 2024 at the latest. After this point, all payment processors, merchants handling payment information, or other related businesses must meet PCI DSS 4.0.
- Future-Dated Requirements Become Standard (Q1 2025): Roughly three years from release, future-dated requirements (or those designated by the standard as such) move from “best practices” to full requirements.
How Are Businesses Preparing for this First Phase?
It’s important not to get stuck on the idea that, because it is early, there is plenty of time to get ready. It’s always preferable to work on something while there is time available to get it right, rather than working with a deadline you can’t meet because you waited too long to implement changes.
In these earliest stages, there are a few clear steps to take to get your business ready. These include:
Inventory Affected Infrastructure
One of the core requirements of PCI DSS is for your business to create and maintain an IT infrastructure inventory that handles protected cardholder data. This includes servers, workstations, networking infrastructure, mobile devices, removable storage, employees, and third-party vendors.
To support businesses creating their PCI inventory, the PCI Security Standards Council released a scoping document and aid in 2016. This document is the latest version of such an aid and still stands as a useful reference until (or if even) a newer version is published.
Determine Your Business Type with the Self-Assessment Questionnaire
Depending on your business type and the types of payments you accept, you are eligible to complete a Self-Assessment Questionnaire (SAQ).
- PCI DSS SAQ Type A: A self-assessment for businesses that accept eCommerce or telephone orders, outsource payment processing to a third party, and where reports come from PCI DSS compliant vendors.
- PCI DSS SAQ Type B: A self-assessment for merchants that only accept face-to-face purchases, that the terminals for these channels are not feeding data to other merchant systems or the Internet, and the merchant does not store that data electronically.
- PCI DSS SAQ Type C: A self-assessment for merchants with processing services that connect to the Internet but are not connected to other merchant systems, and the merchant does not store electronic customer data.
- PCI DSS SAQ Type D: A catch-all for merchants who do not fit into the above categories. This includes merchants who accept digital eCommerce and face-to-face transactions or store card data electronically.
Decide on Standard or Customized Approaches
Highly customized approaches can allow plenty of flexibility for an enterprise at the cost of having a highly unique infrastructure that isn’t easily slot into the defined PCI DSS standards.
Generally speaking, a good rule of thumb for customized approaches is:
- Suppose you are a large enterprise with in-house software or infrastructure or a small business with very, very unique products and services. In that case, it may be worth your investment to work with your auditor on a customized approach to validation.
- If you are using easily obtainable or industry-standard hardware and software, or if you’re a smaller operation without dedicated IT support, then a standard approach will probably be a better option.
Line Up with an Auditor
You’re going to work for an auditor for your annual validations–even if you fall into a category where you can provide ongoing self-assessments, a skilled and experienced auditor can ensure that you are not only meeting the minimum requirements but that you are prepared to continue down the road to PCI DSS 4.0 compliance.
Stay PCI Compliant with Lazarus Alliance
We work with hundreds of companies that, in one way or another, handle credit card data. They know that, for the protection of customer data and their reputation, as well as their ability to do business, that stay compliant with the latest version of the PCI standards.
If you’re ready to kick start your path to PCI DSS 4.0 compliance, the Lazarus Alliance is the experienced security firm to support you the entire way.
Are You Thinking Ahead for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.