Disclaimer:This article should be used only for guidance purposes and shouldn’t be taken as definitive advice. Always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions per year.
As of 31 March 2022, PCI DSS v4.0 has been released. We are working hard in the background to do a full assessment of the new standard. Adyen customers will be informed accordingly of any key changes, but for the time being the below information remains accurate and up to date.
From Cerberus, the mythological dog that guarded the gates of the Underworld, to the Federal Reserve Bank of New York’s ninety-ton steel vault of gold, it’s safe to say that maintaining good security standards has always been good business. And when it comes to data security, the benefits of staying up to date with PCI compliance are nothing short of invaluable. You don’t even need a three-headed dog to do it.
But first, a quick recap.
What is the current PCI security standard?
No, you didn’t imagine it; there is indeed a new version of PCI DSS on the way. Version 4.0 was due to be introduced halfway through 2021, but the release is now delayed until the end of the year. Hence the mild confusion. In the meantime, PCI DSS 3.2.1 remains the current PCI standard. Here’s a quick refresh on what that means, and then we’ll cover everything you need to know about the upcoming PCI DSS 4.0.
PCI DSS is a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by thePCI Security Standards Council(PCI SSC), an independent body made up of MasterCard, Visa, American Express, JCB, and Discover. Currently,12 core requirementsmake up PCI DSS.
Any organisation that interacts with the Cardholder Data Environment (CDE) - collecting, processing, storing, or transmitting account data - must comply with PCI DSS directly or through completing an annual assessment independently or together with your QSA. While it is not part of any law, the standard is applied around the world. Failure to meet PCI DSS may result in breaches, fines, or termination of credit card processing privileges.
Why the delay, and when is version 4.0 due to be released?
PCI DSS version 4.0 was originally due to be introduced in Q2 2021, but is now due for release in Q1 2022. The reason for the delay is nothing dramatic: the PCI council decided more feedback on the new standard and its documentation was needed, and updated the timeline to support an extendedRequest For Comments (RFC) process.
What are the changes from PCI DSS v3.2.1 to PCI DSS v4.0?
Previous feedback suggested that the decimal points in “PCI DSS v3.2.1” were getting a little out of hand, and it was time for a rebrand. Just kidding. While the 12 core PCI DSS requirements remain fundamentally the same, the upcoming changes are to ensure account data is properly protected, and that businesses are clear on their responsibilities in making that happen.
As technology evolves, so do the attack tactics and capabilities of bad actors trying to compromise systems. The differences between PCI DSS v3.2.1 and v4.0 are therefore expected to align the standard with the latest changes in the security landscape, expand requirements into a few new technology areas, and provide clearer guidance for businesses to follow.
What is PCI DSS 4.0 compliance?
While the full standard and supporting documents are yet to be released, this is what we know so far. The PCI Security Standards Council has set four objectives to guide the creation of version 4.0. These objectives are:
To ensure the standard continues to meet the security needs of the payments industry.
To add flexibility and support of additional methodologies to achieve security.
To encourage businesses to view security as a continuous process.
To enhance validation methods and procedures to be more robust.
The new version of PCI DSS will include an expansion of requirements in developing security and technology areas, including mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.
A PCI DSS v4.0 timeline
Once PCI DSS v4.0 is introduced, an extended transition period will be provided for organisations to update from PCI DSS v3.2.1 to PCI DSS v4.0. The current PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials - the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and programme updates - are released.
We regularly evaluate all available information and will, well in advance, inform those who changes to the PCI DSS will affect. Our team will also attend the PCI global community meeting in October 2021 in order to gather additional detail and clarity.
As always, we’re ahead of every update to compliance standards around the world, and work closely with all parties involved to keep you, us, and the world a more secure payments space.
How can you prepare for these changes?
The best way to prepare for v4.0 is to stay compliant with PCI DSS 3.2.1 requirements, or keep working towards compliance. If your organisation accepts credit cards, you must implement the requirements applicable to your business set forward by PCI DSS, and validate your compliance with PCI DSS annually.
For PCI DSS 3.2.1, you can validate your compliance either by:
Completing a Self-Assessment Questionnaire (SAQ). You can use this option if you process less than 6 million transactions per acquiring region per year.
Engaging a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you.
You can find more information about these documentshere.
While these recommendations may change in the months to come, it's worth getting the basics right now.
While we can’t provide a definitive PCI DSS v4.0 compliance checklist until later in the year, here are some best practice tips to help you get all your security ducks in a row:
Don’t use preset usernames, passwords, or factory settings.
Use strong passwords and unique user IDs. At least 7 character passwords (numeric, alphabetic and special characters).
Stay up to date with new software patches as soon as they’re released.
If you maintain your compliance and keep control of your environment, you'll be well placed to meet PCI DSS v4.0. Remember, you can always check in with us for guidance. We will be ready to support you through the process.
How can Adyen help your business stay PCI DSS compliant?
Implementing PCI DSS compliance in your business can seem intimidating, especially if you don't have an existing framework to properly protect account data.
To help reduce the scope of your PCI DSS compliance, we offer integrations that handle most of the PCI DSS requirements for you:
• OurWeb Drop-in or Componentsrenders the available cards in your payment form, and securely collects any account data and sensitive card information, so it doesn't touch your server.
While you’ll still need to secure account data before it reaches us, we’re always here to help guide you in the right direction - so be sure to check back here in a few months for the next update, orreach outif you have any questions in the meantime.
PCI DSS Compliance Guide
Your detailed development resource for PCI DSS compliance.
About the author:Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.