After years in the making, the PCI Security Standards Council has released an updated version of their PCI Data Security Standard (PCI DSS). The standard, which governs businesses who accept or interact with credit card data, has gone from version 3.2.1 to 4.0, marking a significant update to an already robust set of requirements.
There is good news and bad news with the release of PCI DSS 4.0. On the good side, most of the changes are future dated and won’t be required until March 31st, 2025. This is good news because there are 64 new requirements. The impact to your organization will vary and LBMC is here to help. Below we’ve outlined several changes and important reminders you’ll want to understand right away:
- No company can obtain compliance under PCI 4.0 until the QSA community (which LBMC is a member) has been certified under PCI 4.0. As of now, these trainings won’t start until this summer.
- The March 31, 2025 date of implementation of many new requirements is not the same date when organization must start using the PCI 4.0 standard. That date is March 31, 2024 (2 years from now). However, we all know that a PCI assessment starts many months before the report is issued so in many cases, businesses will have less time than 2 years to get up to speed
- The new version of PCI offers companies the option to develop their own controls, its being called the “customized approach”. More on this at another time as it is own post/conversation.
Here is a short list of some of the more impactful new requirements:
- Technical controls must be implemented to prevent the copying of PAN data when accessed remotely.
- You must maintain an inventory of trusted keys and certs.
- Detect and protect personnel against phishing attacks.
- Manage all payment page scripts that are loaded in the consumer’s browser.
- Implement MFA for all access into the CDE.
- Conduct internal scanning using authenticated scans.
As you can see there is a lot to take in! However, LBMC has you covered. Our QSA experts live and breathe PCI compliance and are hard at work processing all the changes and thinking about how they will impact our clients and future clients. If you want to talk more about ensuring your organization will be ready for PCI 4.0, please email Shareholder Stewart Fey, CISA, CISSP, QSA at Stewart.Fey@lbmc.com.