A Look Ahead at PCI DSS v4.0
This month’s theme is “Staying Ahead on Compliance” and there is perhaps no larger change coming than the PCI DSS v4.0 update.
For most hoteliers, maintaining PCI DSS compliance is critical, so this week we’ll dive into what to expect from the change.
Background
PCI DSS standards have evolved over time with periodic updates. The current operational standard is v3.2.1, created in 2018.
In March 2022, PCI DSS v4.0 was released. Companies can choose to comply with v4.0 immediately. However, meeting all v4.0 requirements will not be mandatory until 2025.
Although there is time before entities must meet the updated standards, it is important to look ahead and plan for future compliance.
Major Content Changes
PCI DSS v4.0 contains many changes to the substantive requirements of the standard.
In this section, we’ll highlight some of the major updates to be aware of.
* MFA. Requirements for use of multi-factor authentication (MFA) are significantly expanded. MFA will be required for all access to the cardholder data environment (CDE). This will affect all users, not just administrators, and expand MFA requirements beyond remote access to include on-console access as well.
* Customized approach. PCI DSS v4.0 adds an additional alternative for merchants and service providers who cannot meet prescriptive controls. “Customized controls” let entities document a different control to achieve the objective of the control being customized.
* Yearly diligence. v4.0 adds new controls for periodic diligence, including documenting in-scope CDE, risk analysis of customized controls, and review of cipher suites, protocols, hardware, and software technologies.
Of course, these are only a snapshot of the many changes. For a more thorough discussion, VENZA clients have access to our PCI DSS v4.0 Quick Reference Guide and Introduction to PCI DSS v4.0 security awareness training course.
Timeline
While the PCI SSC recommends that organizations capable of complying with the new requirements do so now, the implementation of v4.0 occurs in phases. There are two main dates to be aware of:
1. Retirement of v3.2.1 – March 2024. After this date, only v4.0 will be effective. 13 new requirements in v4.0 will be immediately mandatory.
2. Future-dated requirement deadline – March 2025. The remaining 51 new requirements become mandatory. After this date, all PCI DSS v4.0 standards must be complied with.
How VENZA Can Help
VENZA can be your guide to effectively prepare for the v4.0 transition and ensure continued compliance.
1. SAQ Preparation. VENZA’s Security Team are SAQ experts, deemed as a v4.0 Qualified Security Assessor (QSA) by the PCI SSC. They have deep experience and knowledge of PCI DSS requirements and their application to the hospitality industry.
2. Policy Templates. PCI DSS requires that organizations maintain an Information Security Policy that details core organizational policies. VENZA maintains a Policy Templates Library that can provide the foundation for your Information Security Policy. Our expert Security Team can advise you on how to best tailor it to your organizational structure and needs.
3. Thought Leadership. VENZA maintains a Quick Reference Guide covering v4.0, offers a standalone Introduction to PCI DSS v4.0 security awareness training course, and will continue to cover the transition here at the Alpine Echo. Stay tuned for additional material on the subject!
Feeling overwhelmed? Don’t be. VENZA and CyberTek are here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success team.
Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.
***
Take VENZA’s free Phishing Test to assess gaps in your human firewall today!
Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.
***
Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.