PCI DSS 4.0 - Adapting to the changes

Data Protection Made Easy

In this episode of Data Protection Made Easy our hosts Oliver Rear and David Holmes were joined by PCI DSS consultant, Start Golding to discuss the changes made to the PCI DSS.

The long-awaited PCI DSS version 4.0 is the first major change to the standard since the end of 2013 and although the newest version of the standard is now in the public domain, the current PCI 3.2. 1 will not be retired until Q1 of 2024.  This means that anyone taking card payments can now start to plan how the changes to the PCI DSS will affect them.

During this session, our hosts will discuss some of the key points that you need to know about PCI DSS 4.0 sharing top tips and advice on helping your organisation prepare for the new version of the standard.

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle card payments. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was put in place to increase the controls around cardholder data to reduce credit card fraud.

Who needs the PCI DSS Certification?

All merchants (retailers and others taking payments via cards) and service providers that process, transmit or store cardholder data must comply with the PCI DSS as a contractual obligation to their bank.  Merchants is the term the PCI DSS uses to which is anyone who accepts debit or credit card payments for goods or services.  Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.

What level of assistance do you need?

If your business is processing card data you NEED to comply with the PCI DSS.  The standard requires merchants and services providers to sign an attestation as to their compliance.  Those handling smaller volumes of transactions are able to complete a self-assess questionnaire (SAQ) and an attestation of compliance (AOC) but those processing larger volumes of transactions must have an annual external assessment by an accredited “QSA” company like Data Protection People and the preparation of a report on compliance (ROC).  Whichever route you are required to attest to your compliance, the SAQ, ROC and AOC is the result of a formal and documented assessment process.

What do I need to do now?

Version 4.0 of the PCI DSS has markedly different requirements from version 3.2.1 and you have a window in which you need to understand the changes and how they will affect your assessment process.  Ideally, you should engage with a PCI DSS accredited QSA company (https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors) to undertake a gap analysis so that you get a fix on the changes you will have to make to meet the new and changed requirements of version 4.0.  A gap analysis will result in an action plan giving you the time to make any necessary changes well ahead of the phasing out of version 3.2.1.

The last thing you can afford is to rush this at the last minute and risk losing your ability to take card payments.

How can Data Protection People help? 

Data Protection People maintains a dedicated QSA Practice, that sits within our PCI and Information Security division. Our QSA Practice is engaged by retail brands, payment service providers, and multinational organisations, to provide experienced Qualified Security Assessors (QSAs) that understand complex technical environments. If you are interested in finding out more about the PCI services we offer visit our PCI page or book a chat with one of the team. 

Useful links from today’s session

England and Wales High Court (Queen’s Bench Division) Decisions:
https://www.bailii.org/cgi-bin/format.cgi?doc=/ew/cases/EWHC/QB/2022/737.html&query=(Chief)+AND+(constable)+AND+(of)+AND+(Kent)+AND+(police)

CNIL Fine:
https://www.orrick.com/en/Insights/2022/04/French-Data-Protection-Authority-Fines-Processor-for-Failing-to-Enter-into-Data-Processing-Agreement

Speakers from today’s session

Oliver Rear – House Consultant – Data Protection People – LinkedIn 
David Holmes – Senior Data Protection Consultant – Data Protection People – LinkedIn
Stuart Golding – Founder and CEO – UKDataSecureLinkedIn

‘Data Protection Made Easy’ is not only a podcast, it’s a community of almost 900 Data Protection Practitioners who all have the shared goal of simplifying Data Protection, by subscribing below and joining our community you will benefit from one invite a week to FREE events where we discuss various topics related to Data Protection as well as updates on news and changes to legislation.

Listen On All Major Podcast Platforms