In case you didn’t know, companies MUST be compliant with PCI DSS version 4.0 by no later than March 31, 2025. Find out how to do so on the Wirebox Guide, here.
Firstly, WHY is PCI DSS v4.0 kicking in on March 31st, 2025?
To ensure that the PCI continues to meet the security needs of an ever-evolving industry,
To promote security as a continuous process, as opposed to a fixed one,
And to enhance the validation methods and procedures used in online purchases.
As you know, with time, technology changes, and so does hacking. As technology evolves, hacking evolves along with it. PCI DSS 4.0 puts businesses in a better position to address their security measures.
Phishing is becoming a bigger issue, and the new PCI version addresses this.
Requirements for performing risk assessments have been in PCI for years, but they’re outdated. Version 4.0 provides more detail for risk management.
Newer industry practices in authentication, such as multi-factor authentication enhancements are taken into account in the new PCI version.
4.0 addresses cloud technology where it may apply, including shared hosting providers, with cloud technologies in mind.
PCI DSS 4.0 acknowledges the fact that not all security approaches are the same, and that there may be many ways to achieve a security objective. Version 4.0 allows for the customisation of requirements and testing procedures.
This enables entities to show how their solutions meet the intent of their security objectives; providing an alternative way to meet the requirement(s).
The Bad News:
Unfortunately, this also means that the new validation methods will most likely result in more assessment work having to be done initially, in order to prepare documentation and risk assessment data for evaluation.
However, there is a flipside, and that is that this new, customised process provides a more permanent solution for the compliance validation of specialised security controls.
When Do I Need To Start Working On 4.0, Then?
Merchants (see below for an explanation on “merchants) have until March 31st, 2024 before they will no longer be able to validate their compliance using version 3.2.1.
For many of the SAQ types, very few changes have been made, so moving to 4.0 may be quite simple. However, some of the SAQ types have several newly added requirements that may take time to implement.
If this is the case for you, continue to validate your compliance using version 3.2.1, but begin to implement missing controls that would be required to validate 4.0.
Firstly, it’s all about the amount of time it’s going to take you to accurately get set up.
If you get started as soon as it’s available to you, you’ll have the time to implement new security practices.
The Difference Between A Merchant Provider And A Service Provider (In A PCI Context)
Knowing who counts as a service provider bores down to who holds the merchant account.
If you’re selling shoes and the money goes directly into your bank account, you’re the merchant.
However, if you’re helping merchants to perform those operations (i.e. with a marketplace such as Etsy), but the money from the customer doesn’t go into your bank account (maybe it goes into a merchant account via Stripe?), then you’re a service provider.
BTW, you can be both a merchant and a service provider.
Give Me More Information, Please!
Go to the PCI Council’s website. Read the PCI DSS version 4.0 standard, and then start to formulate an implementation plan.
More formal risk assessment processes are required in version 4.0, and most organisations will have to add processes and gain the skills to do this correctly.
So whilst PCI 4.0 may seem daunting, it is an an improved way to counteract the techniques used by cyber hackers.