PCI DSS compliance: Everything you need to know
What is PCI DSS 4.0? Helen Huyton, Merchant Data Security Analyst at Adyen, gives an update on the changes to PCI DSS expected on March 31 2022, the differences between v3.2.1 and v4.0, and how to become PCI compliant.
Disclaimer: This article should be used only for guidance purposes and shouldn’t be taken as definitive advice. Always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions per year.
As of 31 March 2022, PCI DSS v4.0 has been released. We are working hard in the background to do a full assessment of the new standard. Adyen customers will be informed accordingly of any key changes, but for the time being the below information remains accurate and up to date.
From Cerberus, the mythological dog that guarded the gates of the Underworld, to the Federal Reserve Bank of New York’s ninety-ton steel vault of gold, it’s safe to say that maintaining good security standards has always been good business. And when it comes to data security, the benefits of staying up to date with PCI compliance are nothing short of invaluable. You don’t even need a three-headed dog to do it.
But first, a quick recap.
No, you didn’t imagine it; there is indeed a new version of PCI DSS on the way. Version 4.0 was due to be introduced halfway through 2021, but the release is now delayed until the end of the year. Hence the mild confusion. In the meantime, PCI DSS 3.2.1 remains the current PCI standard. Here’s a quick refresh on what that means, and then we’ll cover everything you need to know about the upcoming PCI DSS 4.0.
PCI DSS is a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of MasterCard, Visa, American Express, JCB, and Discover. Currently, 12 core requirements make up PCI DSS.
Any organisation that interacts with the Cardholder Data Environment (CDE) - collecting, processing, storing, or transmitting account data - must comply with PCI DSS directly or through completing an annual assessment independently or together with your QSA. While it is not part of any law, the standard is applied around the world. Failure to meet PCI DSS may result in breaches, fines, or termination of credit card processing privileges.
PCI DSS version 4.0 was originally due to be introduced in Q2 2021, but is now due for release in Q1 2022. The reason for the delay is nothing dramatic: the PCI council decided more feedback on the new standard and its documentation was needed, and updated the timeline to support an extended Request For Comments (RFC) process.
Previous feedback suggested that the decimal points in “PCI DSS v3.2.1” were getting a little out of hand, and it was time for a rebrand. Just kidding. While the 12 core PCI DSS requirements remain fundamentally the same, the upcoming changes are to ensure account data is properly protected, and that businesses are clear on their responsibilities in making that happen.
As technology evolves, so do the attack tactics and capabilities of bad actors trying to compromise systems. The differences between PCI DSS v3.2.1 and v4.0 are therefore expected to align the standard with the latest changes in the security landscape, expand requirements into a few new technology areas, and provide clearer guidance for businesses to follow.
While the full standard and supporting documents are yet to be released, this is what we know so far. The PCI Security Standards Council has set four objectives to guide the creation of version 4.0. These objectives are:
The new version of PCI DSS will include an expansion of requirements in developing security and technology areas, including mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.
Once PCI DSS v4.0 is introduced, an extended transition period will be provided for organisations to update from PCI DSS v3.2.1 to PCI DSS v4.0. The current PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials - the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and programme updates - are released.
We regularly evaluate all available information and will, well in advance, inform those who changes to the PCI DSS will affect. Our team will also attend the PCI global community meeting in October 2021 in order to gather additional detail and clarity.
As always, we’re ahead of every update to compliance standards around the world, and work closely with all parties involved to keep you, us, and the world a more secure payments space.
The best way to prepare for v4.0 is to stay compliant with PCI DSS 3.2.1 requirements, or keep working towards compliance. If your organisation accepts credit cards, you must implement the requirements applicable to your business set forward by PCI DSS, and validate your compliance with PCI DSS annually.
For PCI DSS 3.2.1, you can validate your compliance either by:
While these recommendations may change in the months to come, it's worth getting the basics right now.
While we can’t provide a definitive PCI DSS v4.0 compliance checklist until later in the year, here are some best practice tips to help you get all your security ducks in a row:
If you maintain your compliance and keep control of your environment, you'll be well placed to meet PCI DSS v4.0. Remember, you can always check in with us for guidance. We will be ready to support you through the process.
Implementing PCI DSS compliance in your business can seem intimidating, especially if you don't have an existing framework to properly protect account data.
To help reduce the scope of your PCI DSS compliance, we offer integrations that handle most of the PCI DSS requirements for you:
• Our Web Drop-in or Components renders the available cards in your payment form, and securely collects any account data and sensitive card information, so it doesn't touch your server.
While you’ll still need to secure account data before it reaches us, we’re always here to help guide you in the right direction - so be sure to check back here in a few months for the next update, or reach out if you have any questions in the meantime.
Your detailed development resource for PCI DSS compliance.Go to the guide
About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.