As payments move ever closer to becoming almost exclusively electronic, payment card companies, retailers and legislators increasingly focus on customer security and data protection.
As discussed in our recent blogs on Open banking and Cyber security, electronic payments and data management come with many risks to businesses and their customers. New security measures, including PCI DSS 4.0 for card payments, are constantly introduced.
What is PCI DSS 4.0?
Set by the PCI SSC (Payment Card Industry Security Standards Council), PCI DSS is the global data security standard the payment card industry uses to protect the cardholder. It applies to any organisation that processes, stores or transmits cardholder information or private authentication data.
Essential compliance requirements of the Standard include; maintaining firewalls, anti-virus software and security policies, ensuring the use of unique IDs and passwords, applying encryption to transmitted cardholder data and restricting and tracking access to cardholder information.
Until recently, the sector had used a version of the Standard known as PCI DSS v. 3.2.1; this was seen as insufficient for the evolving security needs within the industry and will now be replaced with PCI DSS 4.0.
The new version of the Standard will place increased focus on risk analysis and governance and requires companies to be prepared to report continuously rather than annually, which is the current obligation. While this is good for customer security, it will pile further pressure on companies to remain compliant.
On the upside, however, as the new rules have been designed in conjunction with feedback from top global industry players, the changes will allow businesses more flexibility to report in ways which suit their targeted organisational needs and personal risk exposure.
When will the rules change?
The update was released on March 31 2022, so companies who want to comply with industry ‘best practice’ should already be implementing the changes.
However, the new rules will be optional and only partially replace the current Standard until March 31 2024, when 3.2.1 will be retired, with a handful of the new 4.0 requirements still being mandatory until March 31, 2025.
Organisations can ‘opt-in’ before the 2024 deadline, and those who do will have access to self-assessment questionnaires and other supporting documents once they are published in the coming months.
Should my organisation be preparing for the changes now?
The simple answer is yes. According to the National Law Review:
Implementing PCI DSS 4.0 will require structural changes that go beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0’s obligations.
They go on to say that:
PCI DSS 4.0 is an extensive change to the previous version of PCI DSS. The additional annual diligence requirements will take time and effort to establish.
The move to PCI DSS 4.0 will likely be time-consuming, and businesses will require the proper risk governance, compliance and legal teams in place to identify any current compliance gaps and successfully navigate the changes. Organisations are being advised to act now to allow time to recruit the right talent and to plan and implement new tailored processes to satisfy the updated rules.
If you are looking for a team of tech, cyber security, risk, compliance or IT professionals for anything from a small short-term project to a large scale long-term managed contract, get in touch with Dukebridge today and find out how our hybrid consulting services can quickly and effectively fulfil your staffing needs.
Dukebridge services:
We equip our clients to overcome the challenges of meeting business, operational and technology objectives by helping them build, scale and deploy skilled teams quickly and cost-effectively.
We achieve this by providing highly responsive programme/project resources skilled in analysis, project management and execution, whose effectiveness is sustained by our Service Delivery Function. This includes a centralised PMO function that helps achieve project/engagement success by embedding accountability and governance from day one.