Guides and reports

PCI DSS compliance v4.0: Your requirements checklist

What is the latest version of PCI DSS? Helen Huyton, Merchant Data Security Analyst at Adyen, gives an update on the changes to PCI DSS expected on March 31 2022, the differences between v3.2.1 and v4.0, and how to become PCI compliant.

Helen Huyton, Merchant Data Security Analyst · Adyen

August 24, 2021

· 6 minutes

Topics

Guides and reports Understand payments Optimize payments Make compliance easy Data and insights Ecommerce

Disclaimer: This article should be used only for guidance purposes and shouldn’t be taken as definitive advice. Always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions per year.

As of 31 March 2022, PCI DSS v4.0 has been released. We are working hard in the background to do a full assessment of the new standard. Adyen customers will be informed accordingly of any key changes, but for the time being the below information remains accurate and up to date.

From Cerberus, the mythological dog that guarded the gates of the Underworld, to the Federal Reserve Bank of New York’s ninety-ton steel vault of gold, it’s safe to say that maintaining good security standards has always been good business. And when it comes to data security, the benefits of staying up to date with PCI compliance are nothing short of invaluable. You don’t even need a three-headed dog to do it.

But first, a quick recap.

No, you didn’t imagine it; there is indeed a new version of PCI DSS on the way. Version 4.0 was due to be introduced halfway through 2021, but the release is now delayed until the end of the year. Hence the mild confusion. In the meantime, PCI DSS 3.2.1 remains the current PCI standard. Here’s a quick refresh on what that means, and then we’ll cover everything you need to know about the upcoming PCI DSS 4.0.

PCI DSS is a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of MasterCard, Visa, American Express, JCB, and Discover. Currently,12 core requirements make up PCI DSS.

Any organization that interacts with the Cardholder Data Environment (CDE) - collecting, processing, storing, or transmitting account data - must comply with PCI DSS directly or through completing an annual assessment independently or together with your QSA. While it is not part of any law, the standard is applied around the world. Failure to meet PCI DSS may result in breaches, fines, or termination of credit card processing privileges.

Previous feedback suggested that the decimal points in “PCI DSS v3.2.1” were getting a little out of hand, and it was time for a rebrand. Just kidding. While the 12 core PCI DSS requirements remain fundamentally the same, the upcoming changes are to ensure account data is properly protected, and that businesses are clear on their responsibilities in making that happen.

As technology evolves, so do the attack tactics and capabilities of bad actors trying to compromise systems. The differences between PCI DSS v3.2.1 and v4.0 are therefore expected to align the standard with the latest changes in the security landscape, expand requirements into a few new technology areas, and provide clearer guidance for businesses to follow.

While the full standard and supporting documents are yet to be released, this is what we know so far. The PCI Security Standards Council has set four objectives to guide the creation of version 4.0. These objectives are:

To ensure the standard continues to meet the security needs of the payments industry.
To add flexibility and support of additional methodologies to achieve security.
To encourage businesses to view security as a continuous process.
To enhance validation methods and procedures to be more robust.

The new version of PCI DSS will include an expansion of requirements in developing security and technology areas, including mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.

While we can’t provide a definitive PCI DSS v4.0 compliance checklist until later in the year, here are some best practice tips to help you get all your security ducks in a row:

Don’t use preset usernames, passwords, or factory settings.
Use strong passwords and unique user IDs. At least 7 character passwords (numeric, alphabetic and special characters).
Stay up to date with new software patches as soon as they’re released.

If you maintain your compliance and keep control of your environment, you'll be well placed to meet PCI DSS v4.0. Remember, you can always check in with us for guidance. We will be ready to support you through the process.

Implementing PCI DSS compliance in your business can seem intimidating, especially if you don't have an existing framework to properly protect account data.

To help reduce the scope of your PCI DSS compliance, we offer integrations that handle most of the PCI DSS requirements for you:

• Our Web Drop-in or Components renders the available cards in your payment form, and securely collects any account data and sensitive card information, so it doesn't touch your server.

• For a point-of-sale integration, you can use our default End-to-End Encryption (E2EE) solution.

While you’ll still need to secure account data before it reaches us, we’re always here to help guide you in the right direction - so be sure to check back here in a few months for the next update, or reach out if you have any questions in the meantime.

About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.