Updated on October 29, 2022 by Ian Terry
There has been a remarkable increase in cloud technologies, e-commerce, and online payments in recent years. It has increased even more since the COVID-19 pandemic. With this, there has also been a surge in cybercrime, whose perpetrators have taken advantage of the global economic instability to initiate attacks on organizations. Hence, security checks, countermeasures and regular upgrades have never been more significant. One such is the recent Payment Card Industry Data Security Standard (PCI DSS) upgrade from version 3.2.1 to version 4.0.
Payment Card Industry Data Security Standard (PCI DSS) comprises policies and guidelines for companies that deal with branded credit cards. It aims to reduce credit card fraud and increase controls around cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) defines the PCI DSS. The council is a coalition of the five (5) largest credit card companies globally. Official credit card industry regulatory guidelines and standards were first released in December 2004 but have evolved to meet the technological upgrades in credit card transactions since then.
Transitioning from PCI DSS v3.2.1 to v4.0
The most recent version of the PCI DSS is v4.0, launched in March 2022 as a replacement for the last version, PCI DSS v3.2.1. The implementation would not be immediate for compliance and smooth adoption, as both versions – v3.2.1 and v4.0 will coexist for two (2) years (till March 2024). During that transition period, the PCI SSC recommends that credit card companies begin studying the new standard, updating their systems and policies, and preparing for the complete adoption of the most recent standard.
Implementing the PCI DSS 4.0 would involve numerous changes in risk assessment, management of keys and certificates, identity and access management, application development, email filtering technology, multifactor authentication and even security information and event management. All those changes would ensure greater ease and secure daily transactions. Hence, the need for businesses, merchants or organizations that handle cardholder data to comply with this upgrade is stressed.
Below are some guidelines on how credit card companies can begin preparing for the transition from PCI DSS v3.2.1 to v4.0 now:
How to Prepare for PCI DSS 4.0
Understand the Ins and Outs of the PCI DSS Version 4.0
Change is not easy to come by, so enough time is needed for adjustment most times. That understanding is why implementing PCI DSS v4.0 would not be drastic but gradual. Credit card companies and merchants need time to familiarize themselves with the Report on Compliance (ROC) and Self-Assessment Questionnaire (SAQ) templates published by the PCI council. The concerned individuals and companies need to understand what this upgrade entails and what it means for their businesses and transactions.
Stick To the Recommended Timeline
The PCI council has released the timeline for the retirement of version 3.2.1 and the implementation of version 4.0. Concerned employees and stakeholders must be kept abreast of this information to accommodate adequate planning. All version 4.0 requirements not marked as future-dated must be in place by March 2024, while future-dated ones must be in place by March 31st, 2025. Needless to mention that strict adherence is non-debatable.
Conduct a Thorough Risk Assessment
Individuals and organizations should conduct regular risk assessments, especially in the face of significant changes to the network. Such practice helps to identify any potential threats or vulnerabilities in the system. One needs an effective plan to respond to security breaches to prevent catastrophic losses. All employees handling cardholder data, technology and processes involved in the company’s operations need to be taken into cognizance during a risk assessment.
Regular Document Updating
Securing information is of utmost importance, hence the need to document cybersecurity protocols. Specifically, cardholder information must be secured, with security protocol regularly updated. You should note the steps and programs implemented to comply with PCI DSS standards. Make sure to account must be given of all the steps involved in the security chain. That is to ensure the availability of this information if the need arises.
Remove Redundant Data
In preparation for the upgrade, you should clean your data to remove unwanted or redundant ones. Care should be taken to remove all data concerning sensitive systems to prevent theft, damage, or manipulation. All the data available should be related to the new version and tailored towards improving its efficiency.
Involve The Necessary Stakeholders
Involving stakeholders is good practice because there may be hidden data that could give room for security breaches in the future. Technicalities involving cardholders’ data and transactions, such as card processing errors and stored unencrypted financial data, could sometimes be addressed by these PCI DSS and business stakeholders.
Let’s Start Preparing for PCI DSS 4.0
Advancements in technology necessitate specific upgrades in business operations. Staying ahead of security threats is a valued essential in business, necessitating an upgrade from PCI DSS version 3.2.1 to version 4.0. With the transition period of 2 years, there is room for careful planning by the relevant stakeholders on how to implement the upgrade. Even while doing so, there is a need to follow cybersecurity and business protocols.
Contact AWA about PCI 4.0 Readiness services.
