PCI DSS v4.0 Updated Security Standards - What You Need To Know

All businesses involved in payments and card payment data are about to be subject to new security standards set by the PCI SSC. On March 31st, the PCI SSC published PCI Data Security Standards v4.0. This new version represents a major upgrade to the standard businesses have been subject to for the last several years. 

As we know, everyone “storing, processing, or transmitting cardholder data” must comply with security standards set by the Payment Card Industry Security Standards Council (PCI SSC). The standards are called Payment Card Industry Data Security Standards (PCI DSS) v3.2.1. 

PCI DSS is a global standard for protecting card payment data. It establishes the criteria for technical and operational processes for businesses involved with payment data and payment processing. 

PCI was designed to be an evolving standard. As new threat vectors have been identified, the standards have evolved to meet those threats.

What does PCI DSS v4.0 have in store for businesses?

PCI DSS v4.0 are the result of 3 years of collaboration with over 200 organizations. The goal was to create a set of security standards that remains applicable throughout a complex and ever-evolving payment security environment. Version 4.0 further clarifies the standards so there is less room for interpretation of how to apply each one. 

But these changes go a step further than keeping up with new threats and creating more stringent requirements. The new standard expands to emphasize that security measures are a continuous process. In addition, they wanted to create more flexibility for organizations who might use varying methods to achieve the best security environment.

Here are a few of the major impacts to the standard:

1. Moving PCI compliance and data security monitoring to a more continuous process, not a once a year obligation.
2. Increasing the frequency of testing all the controls 
3. Security requirements becoming more stringent-Expansion of the 12 core requirements (and 300 sub-requirements).
4. Forcing multi-factor authentication for many more touchpoints than previously required
5. Updates to password requirements and access.
6. Increasing standards for encryption to prevent malware as it increases as an attack vector.
7. Moving from 6-digit to 8-digit BIN to comply with new ISO standards for Issuer Identification Numbers (BIN is Visa terminology) this could impact security where truncation is the only method of meeting PCI requirements. 
8. Introduction of the Customized Approach to assessing a merchants security environment.
9. Enhancement of the validation procedures to increase congruence.

Another key change in addition to PCI DSS v4.0

One of the biggest changes for merchants surrounds ACH payments, or bank to bank transfers. As of April 2022, NACHA adopts PCI DSS as their standard for security for banking data security.

NACHA is the independent organization governing electronic bank transfers such as direct deposit and direct payments. Because they do not transfer card payment data, they have historically set their own standard for security in bank transfers. 

With the upgrade to PCI DSS v4.0, NACHA has amended their security policy and procedures to adopt PCI rules for how businesses protect banking data, eff. June 30th, 2022. Before storing banking data, you only had to meet security requirements set by NACHA. Now, businesses have to protect that data according to PCI DSS v4.0 if they’re going to store any bank account and account holder data.

Businesses must also ensure that any 3rd party vendors/partners they use also meet the same requirements.

The PCI website offers an in-depth explanation of the new standards, as well as a PCI at-a-glance section, and a broad resource hub to help navigate the new standards.  

Organizations have 18 months from the rollout of 4.0 to become compliant. The transition period from v3.2.1 will last for two years, until March 31, 2024. During that time both versions will run side by side. On March 31, PCI DSS v3.2.1 will be retired. 

Meeting the new PCI DSS requirements

The good news is that meeting PCI DSS is easier than it seems for most merchants. Many of the requirements included in the standard are already considered Best Practice for security. The main goal for merchants is to reduce their PCI compliance scope. Goal: no credit card data moving across your own network or stored anywhere on your network.

This means moving as much processing off to a 3rd party that meets the requirements will reduce you, the merchants, scope. Outsourcing your payment processing does help to simplify your compliance obligations. The acquiring bank, processor, gateway provider, and other 3rd party vendors must also meet all the requirements for PCI DSS. Therefore, by partnering with them, you may already meet most of the DSS. As long as you make sure to partner with providers that do meet PCI Standards - don’t just assume. 

But merchants must also monitor their own environments to meet the standards. Merchants must address their internal policies and procedures surrounding cardholder data and information as well. 

Use P2P encryption devices that are PCI validated and compliant. There are P2PE devices that are non-validated, so be choosy. There are also numerous products and services to help merchants create a secure environment that follow security best practices and ultimately meet PCI Data Security Standards. 

Implementing PCI DSS is a basic security strategy that’s part of a sound business plan. The business risks and costs of non-compliance can greatly outweigh the costs involved with implementing the proper security measures. 

At MonerePay, security standards are top priority. Our PCI Level 1-certified gateway meets or exceeds the most stringent industry standards. If you’re interested in payment processing with a 100% secure and PCI compliant processor, call us today.