Is your organisation ready for the new Payment Card Standard PCI DSS 4.0?


As payments move ever closer to becoming almost exclusively electronic, payment card companies, retailers and legislators are increasingly turning their attention to customer security and data protection. 

As discussed in our recent blogs on Open Banking and Cyber Security, electronic payments and data management come with many risks to businesses and customers. New security measures are constantly being introduced, including PCI DSS 4.0 for card payments.

What is PCI DSS 4.0?

Set by the PCI SSC (Payment Card Industry Security Standards Council), PCI DSS is the global data security standard the payment card industry uses to protect the cardholder. It applies to any organisation that processes, stores or transmits cardholder information or private authentication data.

Essential compliance requirements of the Standard include; maintaining firewalls, anti-virus software and security policies, ensuring the use of unique IDs and passwords, applying encryption to transmitted cardholder data and restricting and tracking access to cardholder information.

Until recently, the sector had used a version of the Standard known as PCI DSS v. 3.2.1, this was insufficient for the evolving security needs within the industry and, consequently, will be replaced with PCI DSS 4.0. 

The new version of the Standard will place increased focus on risk analysis and governance and requires companies to be prepared to report continuously rather than annually, which is the current obligation. While this is good for customer security, it will pile further pressure on companies to remain compliant. 

However, as the new rules have been designed in conjunction with feedback from top global industry players, the changes will allow businesses more flexibility to report in ways that suit their targeted organisational needs and personal risk exposure.

When will the rules change?

The update was released just a few weeks ago, on March 31 2022, so companies who want to comply with industry ‘best practice’ will want to implement the changes as soon as possible. 

However, the new rules will be optional and not fully replace the current Standard until March 31 2024, when 3.2.1 will be retired, with a handful of the new 4.0 requirements still not mandatory until March 31, 2025.

Organisations can ‘opt-in’ before the 2024 deadline, and those who do will have access to self-assessment questionnaires and other supporting documents once they are published in the coming months.

Should my organisation be preparing for the changes now?

The simple answer is yes. According to the National Law ReviewImplementing PCI DSS 4.0 will require structural changes beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0’s obligations.” They say that “PCI DSS 4.0 is an extensive change to the previous version of PCI DSS” and that “the additional annual diligence requirements will take time and effort to establish”. 

The move to PCI DSS 4.0 will likely be time-consuming. Businesses will require risk governance, compliance, and legal teams to identify current compliance gaps and successfully navigate the changes. Organisations are being advised to act now to allow time to recruit the right talent and to plan and implement new tailored processes to satisfy the updated rules.

If your organisation is looking for the right compliance, governance and legal professionals to help manage your company’s risk processes, talk to McGregor Boyall today and discover how we can help you find the best talent.