On the last day of March 2022, the independent international body known as the Payment Card Industry Security Standards Council (PCI SSC) did something it hasn’t done in nearly 4 years: It released a new set of digital standards governing payment card processes. PCI DSS 4.0 is the first major version change for PCI standards in nearly a decade (PCI DSS 3.0 was released in November 2013). It was released with surprisingly little fanfare, considering that it affects nearly every business in the world.
If that sounds like hyperbole, you’ll need to understand the crucial role PCI DSS plays in regulating the more than 1 billion credit card transactions that take place every single day.
PCI DSS 4.0 is a very, very big deal.
WHAT’S IN PCI DSS 4.0?
Notably, PCI DSS 4.0 is not just a new version but an entire version number update from version 3.2.1, which was put into effect in May of 2018. While one might suspect that such a leap comes from some bold deviation from the previous version of the PCI standards, PCI DSS 4.0 does little to surprise.
For the most part, PCI DSS 4.0 lays out the evolved thinking of the SSC as it looks ahead at the shifting technological landscape and the ways businesses manage compliance.
One major change arriving in PCI DSS 4.0 is a greater emphasis upon everyday compliance rather than the yearly exercise in reporting. PCI compliance documentation and reporting are still required at least annually, but also whenever significant changes are made.
While this may seem like a small modification, the new PCI standards also spell out exactly what constitutes a “significant change,” which opens the door for increased reporting benchmarks in the future.
This aligns with the SSC’s expressed goal of “promoting security as a continuous process,” indicating a clear shift toward requiring more engaged and constant compliance efforts from businesses in the future.
Perhaps the most interesting part of PCI DSS 4.0 is the acquiescence to increased flexibility in business compliance methodologies. Here, the SSC seems to be recognizing the myriad ways in which technology is continuously evolving, and is willing to give businesses the benefit of whatever new compliance methodologies will emerge in the future.
This is almost certainly a nod to the potential for game-changing compliance innovation like Atmos, the disruptive recording platform Callcabinet launched in 2014, not long after PCI DSS 3.0 was released. As the first-ever cloud-based compliance recording platform, Atmos touched off a revolution in the compliance industry.
This modification appearing in PCI DSS 4.0 is the clearest indication that the SSC recognizes how integral a role compliance technology plays in developing vital industry regulations.
MORE FOCUS ON RISK ANALYSIS
Another notable change arriving in PCI DSS 4.0 is an increased focus on risk analysis for businesses.
While risk analysis has always been part of PCI DSS, it has never before been as clearly outlined in its formatting. Previously, risk analysis was implemented as part of the compensating control worksheet for PCI compliance reporting. PCI DSS 4.0 includes a Sample Targeted Risk Analysis Template in one of its appendixes that clearly spells out how the SSC expects companies to carry out risk analysis, leaving little room for interpretation.
While this could be just a simple clarification exercise, it is more likely a telling shift in the SSC mindset. When taken with the other changes above, it seems indicative of an overall shift toward increased corporate responsibility. Recognizing the mounting complexity of PCI DSS application and enforcement, the SSC is likely telescoping a slow change toward eventually requiring more constant and comprehensive compliance in both practice and reporting.
This could therefore be the most significant change revealed in PCI DSS 4.0, especially for companies that view PCI compliance as little more than an operational hassle. Compliance, it appears, is expanding, and businesses will need to expand their efforts to manage it or face the consequences of non-compliance.
A SLOW ROLLOUT
Fortunately, though it was released at the end of March of this year, PCI DSS 4.0 will not go into enforcement for another 3 years. This gives businesses ample time to adapt to the fresh standards, which, as noted above, appear to be mostly intended to lay the groundwork for future standards evolution.
However, although PCI DSS 4.0 may seem to be future-focused in both its goals and its implementation, enterprises would be wise to begin restructuring their compliance protocols as soon as possible. Preparation for PCI DSS 4.0 enforcement will likely require a deeper investment into corporate compliance infrastructure. Depending upon the scale of the enterprise, that investment could be as minimal as increased reporting or as significant as the creation of an entire corporate compliance division.
Large or small, changes to PCI standards affect every business that accepts payment card transactions, warranting a careful assessment of each organization’s practices. It is crucial for every business to recognize that PCI standards are not going away regardless of what kind of challenges transitioning to new standards may present.
WHERE TO START:
Start by watching this video where PCI Security Standards Council staff discuss these goals and updates to PCI DSS v4.0. You can find the video here: First Look at PCI DSS v4.0.
Then have a look at all supporting documents published in the PCI SSC Document Library. This Document Library includes the updated standard and a large number of supporting documents. The standard and summary of changes are scheduled to be translated into several languages between April and June 2022 to help support the adoption of PCI DSS worldwide.
The Council will provide additional information throughout the year to help organizations understand changes made to the standard. Stay up to date by subscribing to the PCI Perspectives blog for additional resources to help you in this transition period.