PCI DSS applies to any merchants or service providers that process, store or transmit cardholder data (CHD); or could impact the security of CHD. Examples of processing include any retailers taking payments at tills, mortgage brokers or accountants taking online payments, organisations with customer support taking telephone payments etc. Examples of organisations who may impact security could include IT providers, website providers, storage providers hosting systems or even merchant receipts etc.
There is a new version (PCI DSS v4.0) that goes into effect on 31 March 2024. The previous v3.2.1 will retire on that date.
I was discussing with a client this week about their next assessment. In the next few months, they will start a PCI DSS assessment. The client asked, “should I undertake PCI DSS v3.2.1 or v4.0 next”? It is an interesting question. There is no right or wrong answer per se, but there are advantages/disadvantages to both. Let’s discuss this here two possible options.
1. Your organisation does a PCI DSS 4.0 assessment.
If you undertake a PCI DSS v4.0 assessment, you may notice some differences and new controls. The advantage is that you will know exactly where you need to uplift your controls. The risk is that if you need to do remediation (to meet v4.0) or undertake more assessment time (to revert back to v3.2.1 assessment), this could go over your PCI DSS certification expiry date. This can be a tough time for staff, who are usually pressured in order to undertake the necessary actions to meet compliance.
2. Your organisation does a PCI DSS v3.2.1 assessment.
This approach should be more comfortable, since if you have been maintaining your policies, procedures and actions you should be able to meet and maintain compliance again. The advantage of this is that it in principal once you have passed, you have another 12 months of being compliant. This also means you have in theory 12 months to ensure your organisation works towards PCI DSS v4.0, as you have no other option any longer. The disadvantage is that now you need to undertake a v4.0 gap analysis, which could have been done earlier.
Overall, the message is that you should have already undertaken a PCI DSS v4.0 gap analysis some time ago. If you have not, start now with a v4.0 gap analysis. Know the gaps that need to be fixed. If there is little to uplift, you may decide to continue with a v4.0 assessment. If there is a lot to uplift, then you also have the benefit of reverting back to v3.2.1 assessment. If your PCI DSS assessment is close and you have no other option than undertaking a v3.2.1, then start a v4.0 gap analysis soon after.