On 31 March 2024, the next stage of Payment Card Industry Data Security Standard (PCI DSS) version 4.0 began. Of the updated standard’s 64 changes, thirteen new requirements officially became mandatory and entered into effect. Although the other 51 requirements remain designated as best practices until March of next year, it is clear that the changes already underway will have significant implications for businesses around the world.

Because these changes introduce new and rigorous security measures, hoteliers must begin the process of compliance now and ensure their security postures are aligned with the new standard.

In previous editions of the VENZA Echo, we have examined these future requirements. This week, however, we shift our focus to the immediate changes, detailing the requirements and updates that hoteliers must implement as of 1 April of this year.

Role Based Procedures

Most of the new requirements address operational procedures, focusing heavily on the designation of specific roles within an organisation’s IT security team.

Of the 13 new requirements, 10 (2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, and 11.1.2) assign individual responsibilities for different facets of PCI DSS, mandating that specific team members are accountable for protecting stored account data, incident reporting and other critical security tasks.

PCI DSS Scope

Arguably the most demanding of the newly enacted mandates is requirement 12.5.2, which stipulates that organisations must conduct an annual PCI DSS Scope of their Cardholder Data Environment (CDE). This documentation must also be updated whenever significant changes occur, such as the addition of new software or hardware to the CDE.

The requirement involves an intensive and comprehensive assessment of all elements that interact with the CDE, detailing all tools and technologies used to store, process, or transmit sensitive cardholder data, as well as identifying the major stakeholders involved in these operations.

Service Provider Notice

Requirement 12.9.2 creates clear roles and responsibilities for how third-party service providers (TPSPs), such as managed service providers (MSPs) and payment processors, must manage their clients’ cardholder data. If requested by their customer, TPSPs must now provide details on their own PCI DSS compliance status.

Since most hoteliers qualify as merchants, requirement 12.9.2 will likely have minimal impact on them.

Customized Approach

Requirement 12.3.2 introduces one of the most significant changes in PCI DSS 4.0–the Customized Approach.

Unlike the previously available Defined Approach, this new validation method allows businesses to achieve compliance without strictly adhering to specific PCI DSS requirements, provided they adopt a method that achieves equivalent results.

While it may appear as a time-saving workaround for those struggling with the Defined Approach, it may not be so simple. The PCI Security Standards Council recommends the Customized Approach only for organisations with sophisticated and mature risk management systems, as it demands more evidence, documentation, and assessments, requiring additional resources and time.

***

PCI DSS 4.0 is officially here, ushering in 13 new mandatory requirements for businesses across the world. By understanding and implementing these new requirements, hoteliers can remain ahead of the curve in safeguarding their guest data and maintaining regulatory compliance. These efforts will lay the vital groundwork for tackling the additional 51 requirements that will become effective in March 2025 and ensure a robust and secure infrastructure that meets the evolving standards of data security.

Feeling overwhelmed? Don’t be. Through our Everest™ program, our Security Team expertly guides hoteliers of all sizes through both existing and upcoming PCI DSS 4.0 requirements. In partnership with us, your company can tackle regulatory compliance in as little as one month.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

###

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.