Everything you need to know about PCI DSS’ self-assessment questionnaires, Report on Compliance, an...
When is PCI DSS 4.0 required? Timing and helpful considerations
Find out when you must be compliant with PCI DSS 4 and which factors are most likely to impact your transition’s timeline.
What is PCI DSS 4?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the major payment card brands to fight fraud and protect card users. PCI DSS outlines the various policies, processes, and security controls companies must have to protect payment card data.
Periodically, the Payment Card Industry Security Standards Council (PCI SSC) updates its PCI DSS requirements to address changes in the cybersecurity landscape. PCI 4 is the latest version of the standard.
The key dates for the transition to PCI DSS 4
When was PCI DSS 4 released?
PCI DSS released version 4 in March 2022. However, to ease the transition, PCI DSS version 3.2.1 remains active through March 2024. In the interim, companies can complete PCI assessments against either of the two versions of the standard.
When may I comply with PCI DSS 4?
Companies may seek and attest PCI 4 compliance today. The real question is can you?
For PCI Level 1, the availability of PCI 4 assessments depends on whether Qualified Security Assessors (QSAs) are authorized to audit against the new version of the standard and its requirements. The PCI SSC released the required training for PCI 4 in June 2022 and has compiled a list of PCI 4-certified QSA firms.
For PCI Levels 2-4, you may have the option to complete a PCI 4 self-assessment questionnaire (SAQ) without needing a QSA today. However, your ability to self-assess depends on your implementation. For example, if you're using a payment service provider, like Stripe, or a tokenization provider to store cards, then you'll be dependent on their timeline for PCI DSS 4 compliance. These service providers will provide the new assessment forms when they’re ready.
When must I comply with PCI DSS 4?
The PCI SSC commonly uses a phased rollout for new releases. Officially, a company must be certified against PCI 4 by March 2024, when the previous version of the standard is no longer supported.
However, PCI standards also contain future-dated requirements. These requirements may represent a significant lift and thus have given companies more time to implement. For example, future-dated requirements in PCI 4 include deploying a web application firewall (WAF) to protect web applications, continuously scanning removable media for malware, and reviewing user accounts every six months to remove unneeded accounts and permissions. In the case of PCI 4, companies have until March 2025 to implement and certify against this requirement.
What are the changes in PCI DSS 4?
PCI 4 updates the standards to address changes in the cyber threat landscape. This includes adding about 60 requirements, updating others, and removing some entirely.
Account security was a significant area of focus for the PCI SSC, with new requirements around using multi-factor authentication (MFA) and stronger passwords for internal employees. The upcoming standards also include new rules for protecting against common cyberthreats — such as scanning for malware and blocking attempted exploits of web applications — and improving data security by strengthening requirements for encryption.
The time and cost to implement these changes depend on the complexity of an organization’s infrastructure within the scope of a PCI assessment. For example, changing password policies to increase minimum lengths to 12 characters might be a five-minute job for a single web application. Still, the same task could take hours, days, or weeks across many corporate applications to roll out and adequately test.
How long will it take to become PCI DSS 4 certified?
To be clear, every company involved in storing, processing, and transmitting cardholder data must comply with the over 300 controls (plus the 60 new ones), regardless of the PCI DSS version. However, the controls you must implement yourself or attest to vary depending on three primary factors: the exposure you’ve assumed through your implementation, the number of prescribed vs. custom approaches taken, and the volume of transactions processed.
The more responsibilities you assume with cardholder data (e.g., storing yourself vs. using a service provider), the more controls you must configure and validate. For most, using third-party service providers allows companies to significantly reduce or even eliminate the costs, distractions, and changes caused by the new PCI DSS 3.21 and 4.
For example, a fintech company using a third-party tokenization provider and suite of services collects, stores, and transmits payment card details to its PSP without exposing its systems to the underlying cardholder data. Instead of implementing, managing, and documenting their own PCI 4 controls, they use their provider’s PCI level 1 environment and existing attestation of compliance to help satisfy and prove compliance. By comparison, a fintech company using a homegrown solution to store, process, and transmit credit card data will be required to implement or reconfigure its cardholder environment and other preventative measures to comply with PCI 4 and future iterations.
Secondly, if you’ve implemented your cardholder environment, how you satisfied PCI DSS 4’s controls will be another factor. Instead of mandating that a company use a particular solution or approach to meet a requirement, PCI 4 permits companies to implement “customized controls” to meet a requirement and better complement a company’s infrastructure. This flexible approach is super helpful, but it will likely require more effort during the assessment process compared to the existing compensating controls approved by the PCI DSS and familiarized with QSAs for years. Be prepared to prove these controls work as intended and show how they impact other controls in PCI 4.
Finally, there’s the attestation process, or the journey to prove compliance. The time to validate your controls will increase with PCI DSS 4 and its additional requirements, but it should be proportional to your assessment level.
|Total transaction levels||Type of Assessment||Assessor||Compliance deadline (non-future dated)|
|Level 1||+6 million transactions||Report on compliance||Qualified Security Assessor||March 2024|
|Level 2||1 to 6 million transactions||Self-assessment questionnaire||Internal Security Assessor or self-assessed||March 2024|
|Level 3||20,000 to 1 million transactions||Self-assessment questionnaire||Self-assessed||March 2024|
|Level 4||Under 20,000 total transactions||Self-assessment questionnaire||Self-assessed||March 2024|
Generic representation of the various card levels.
How to prepare for PCI 4 today
For smaller companies or those using a service provider to minimize their responsibilities, PCI 4 may not be a pressing concern today.
However, for larger organizations or those with their own systems, the time to start thinking about PCI 4 compliance is now. Some of the factors that can affect PCI timelines include the following:
- Complex, critical processes: If an organization’s core business processes are impacted by PCI, then companies should start the transition as soon as possible. This provides time to plan and test updates properly before deploying them or seeking an audit.
- Long-Lived systems: For long-lived, mission-critical, or embedded systems, making software updates may be costly, difficult, or impossible. Designing for PCI 4 compliance today can save time and effort in a year when compliance becomes mandatory.
- Budget: Redesigning an organization’s systems to comply with new PCI requirements can be a significant financial challenge. Companies can mitigate this by starting early and spreading out costs over the coming financial quarters.
Now may also be the right time to transition to a tokenization service, like Basis Theory. These platforms and their compliant infrastructure allow companies to collect, secure, and use data while eliminating upwards of 99% of the effort to be PCI compliant while mirroring the capabilities of an in-house system (e.g., searching, sharing, permissioning, etc.). In fact, you can spin up your own PCI level 1-compliant environment in as little as five minutes!