The Payment Card Industry (PCI) council is an industry group that includes the large credit card issuers and they have, for years, owned a standard called the PCI Data Security Standard or PCI DSS. While complying with it is not a law (except in a couple of states), complying with it is a contractual requirement for businesses that accept credit cards everywhere and often times customers want to know that you, as a vendor that accepts credit cards, is compliant with the PCI DSS before they will do business with you. Insurance companies also want to know if you are compliant before they will cover you with a policy. Okay, enough with the history lesson.
The current version of the PCI DSS is version 3.2.1 was released in 2018. It is a minor upgrade from 3.2, which was released in 2016 and 3.1, which was released in 2015. Version 3.0 was released in 2013.
That means that fundamentally, the standard has not been substantially rewritten in the last 9 years. That is a long time for a security standard.
PCI DSS 4.0 has been a work in progress for the last 3 years. The council got over 6,000 comments during that time.
Version 3.2.1 is currently scheduled to sunset on March 31, 2024. For some companies, the transition will be be relatively simple, but for others, especially smaller ones, this would be a good time to outsource credit card processing. If you keep it in house, you will likely need to spend some money, possibly on hardware and/or software and on staffing. Start planning now.
New requirements include:
- Updated firewall requirements
- Enhanced requirements for multi-factor authentication everywhere in the cardholder data environment
- increased flexibility in meeting some requirements but this will require a mature IT and governance environment
- increased requirement for tying a risk assessment to the implementation of security controls
Now is the time to look at the new requirements and make some decisions.
If you need help, contact us.
Credit: CSO Online