Merchants around the world use the Payment Card Industry Data Security Standard (PCI DSS) to safeguard payment card data before, during, and after a purchase is made. The standard is intended for all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. As of 31 March 2024, the PCI Security Standards Council (PCI SSC) officially retired PCI DSS v3.2.1. The only currently active versions of the standard are PCI DSS v4.0 and v4.0.1, which henceforth will be referred to as PCI DSS v4.x. For further clarification, please refer to Frequently Asked Question (FAQ) 1328, “Where can I find the current version of PCI DSS?”
In this Q&A, PCI Security Standards Council’s Regional VP for Europe Jeremy King speaks with VP, Compliance & Risk Services, Michael Aminzade of VikingCloud, a Qualified Security Assessor (QSA) company. A QSA is an independent security organization qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.
Jeremy King: Hi, Michael. As a QSA company, VikingCloud works closely with merchants of all sizes and complexity. Let us start by discussing why now is the time for organizations to understand and plan for the future-dated requirements of PCI DSS v4.x, rather than waiting until next year.
Michael Aminzade: In the ever-evolving threat landscape facing businesses today, the importance of data security cannot be overstated, particularly for businesses entrusted with cardholder data.
PCI DSS v4.0 marks the first major update to the Standard in over a decade and is now fully in effect, which has meant a lot of updates, and a lot of new requirements added to the Standard. Of the 64 new requirements, 51 are future-dated and will be effective as of 31 March 2025. And now, PCI DSS v4.0.1 was released as a limited revision in June 2024 with minor updates and to provide further clarification and guidance for the requirements.
Jeremy King: Yes, the Council provided organizations with two years to understand the impact of the new requirements and changes in PCI DSS v4.x and ensure they can prepare for when they become required. But if they have a few more months before these future-dated requirements take effect, why transition early?
Michael Aminzade: It is not early anymore. There are only eight months left for merchants to plan and prepare for the changes in PCI DSS v4.x. We have actively encouraged VikingCloud’s customers to perform gap assessments against the future-dated requirements in preparation for next year. Organizations that have adopted PCI DSS v4.x early have sent a clear statement about the importance of payment security and the protection of their customers’ data. And in today’s cyber-savvy world, consumers are demanding that. More importantly, it will help ensure that payment security and processes used are at a robust level.
This continues to grow in importance across our global industry landscape. We continue to see the importance and dependency merchants have on their digital supply chains and the importance these pose to their ability to operate. Their Third-Party Service Providers (TPSPs) need to ensure they are supporting their customers’ compliance transition to PCI DSS v4.x.
In PCI DSS v4.x, e-commerce merchants completing Self-Assessment Questionnaire (SAQ) A are now expected to undertake vulnerability scans at least once every three months by an Approved Scanning Vendor (ASV). When utilizing TPSPs to provide and manage a merchant’s e-commerce solution, this compliance requirement must be included, and the merchant must demonstrate that it is being done on their behalf, especially when there are multiple TPSPs providing different services within an e-commerce solution.
Criminals utilize weaknesses within the supply chain to gain access to insert malware. So, using PCI-compliant TPSPs within your supply chain reduces the risk of a data breach.
Jeremy King: Yes, and in fact, the Council recently published a new Resource Guide: Vulnerability Scans and Approved Scanning Vendors for anyone with questions about ASV scans, with a focus on Self-Assessment Questionnaire (SAQ) A merchants since they are completing PCI DSS Requirement 11.3.2 for the first time. What other PCI DSS v4.x changes help merchants implement good security processes?
Michael Aminzade: Well, one of the factors that has stood out to us is that many of the new requirements focus on roles and responsibilities. This simply means that staff know and have been trained in the roles and activities they undertake. Many will think this is common sense, but when staff change roles or are off sick or on vacation, then it may not be clear who is trained on what. While this seems like a simple step towards improved security, organizational complexity and ongoing change makes the simple complex. It is not just about documentation (for example, a responsibility assignment matrix), but rather having a proven, best-practice process that ensures the documentation is updated and communicated on an ongoing basis. “One and done” does not cut it in the cybersecurity world.
Another new requirement for PCI DSS v4.x is requirement 12.5.2 which requires the organization to undertake an annual scope confirmation exercise.
Jeremy King: Yes, I was really pleased to see scoping become an actual requirement. Organizations do need to validate all parts of their PCI DSS scope every year. Because in this ever-evolving world of payments, things are changing all the time. And that leads right into documenting roles and responsibilities. Knowing where and how you are managing cardholder data, and that your staff are correctly trained, that really is common sense, isn’t it?
Michael Aminzade: Absolutely, and that is a lot of what PCI DSS v4.x is all about. Being an adopter of the requirements of PCI DSS v4.x is going to help improve your organization’s payment security, will benefit you and your staff from improved processes and additional training, and help you to be ready to meet the new requirements that come into effect on 31 March 2025.
Jeremy King: Michael, this has been exceedingly helpful and useful information for our community. By adopting the future-dated requirements of PCI DSS v4.x today, your business can demonstrate that it takes security seriously and is ready for the future of our ever-evolving data security landscape.
Businesses can find a listing of PCI SSC-approved QSA companies and ASV companies on our website. QSA companies offer a range of products and services to support organizations in improving their security, and ASV companies provide external vulnerability scans.