PCI DSS 4.0 Understanding The Changes

On this week’s episode of the Data Protection Made Easy Podcast our hosts, Jasmine Harrison and Phil Brining, joined our growing audience of Data Protection Practitioners to discuss the Payment Card Industry Data Security Standard (PCI DSS) and the recent changes to the Standard. Our director Phil Brining, is one of only a handful of Qualified Security Assessors (QSAs) in the UK and is a member of a team of brilliant DPOs here at Data Protection People.

What is the PCI DSS?

The Payment Card Industry Data Security Standard, or PCI DSS, is an information security standard for organisations that handle branded credit cards from major card schemes.

Who has to comply with the PCI DSS?

The PCI DSS applies to anyone who stores, processes and/or transmits cardholder information. If you receive electronic payment of any kind you will need to comply with the standard.

What are the different levels of the Merchant?

Organisations are categorised into levels depending on how many transactions are completed each year, this will determine the manner in which you can meet the standard.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

Version 4.0 of the PCI DSS was published on 31 March 2022. Though the current version (3.2.1) remains valid until March 2024, you should know what level your business operates at to prepare you for the end of the transitionary period.

Changes to the PCI DSS

Some of the key changes are:

• • Requirement for a formalised annual scoping exercise
  • Roles and responsibilities now need to be explicitly defined
  • There is a formal risk assessment process
  • There are changes to encryption rules
  • Stronger user authentication e.g. passwords
  • Changes to the rules on malware
  • A new set of requirements on scripts and HTTP headers on pages
  • A new way of meeting the requirements call a customised approach
  • A new assessment criteria “in place with remediation”

Support with the PCI DSS

If you have listed to this episode of the Data Protection Made Easy podcast and still have questions remaining, please reach out to one of the team or visit our PCI page and learn more about the support we offer. Phil Brining is an experienced QSA and is able to support you with any part of your PCI journey. Contact us here.

Join the Data Protection People Community

Our community consists of almost 1000 data protection practitioners from a wide range of backgrounds, we have clients from all sectors and have seen every data protection challenge imaginable. We tailor our events to support our audience with these challenges and discuss all things data protection from Subject Access Requests to Data Breaches. We host interactive webinars with 50-150 data protection practitioners where we share solutions to common challenges, these sessions are recorded and posted online in the form of a podcast, you can listen back to 90+ episodes of the DPME podcast on Spotify, Apple Music, Iheart Radio or any other major audio-streaming platforms. If you would like to join us live on future episodes of the podcast please visit our events page and sign up for any of the many brilliant events we have on the horizon.

Where can you listen?

Spotify: https://open.spotify.com/show/0EUicNr0gkLJvQFqzvc5oy
Amazon Music: https://music.amazon.com/podcasts/60715bf5-b479-4d9c-a845-26d1a1a14c7a
Deezer: http://www.deezer.com/show/1985042
Iheart Radio: https://www.iheart.com/podcast/53324463
JioSaavn: https://www.jiosaavn.com/shows/Data-Protection-Made-Easy/1/avDkKAvEMMw_
Listen Notes: https://www.listennotes.com/c/c9740547ce314ddcbd7aecb42418ba25/
Podcast Addict: https://podcastaddict.com/podcast/3161163
Podcasters: https://www.podchaser.com/podcasts/data-protection-made-easy-1552369
Resource Centre: https://dataprotectionpeople.com/resource-centre/