The payment security landscape is ever evolving. We are on the brink of a significant shift in the Payment Card Industry Data Security Standard (PCI DSS). Are you prepared for the forthcoming PCI DSS v4.0?

Why is this transition significant?

The Payment Card Industry Data Security Standard (PCI DSS) serves as a benchmark for organizations that handle cardholder data. It's a robust framework designed to ensure the security of card transactions and protect cardholder data against threats. As technology and cyber attackers evolve, so too must our standards. And that's where PCI DSS version 4.0 comes into play.

PCI DSS v4.0 promises to usher in substantial changes, building upon the foundation laid by PCI DSS v3.2.1. These changes come with their own set of challenges — and opportunities. Are you ready to navigate them?

Delap: A guide for management

Enter the expertise of Delap. We're not just another CPA firm; we also specialize in cybersecurity. As a Qualified Security Assessor (QSA) Company, we pride ourselves on being ahead of the game, already qualified to assess against the v4.0 standard.

We'd like to help you prepare for the transition to PCI DSS v4.0 through this blog series.

We aim to offer you insights rooted in deep expertise and a history of excellence, whether you're in business management, IT leadership, or directly involved in PCI DSS implementation.

Your roadmap to PCI DSS v4.0

With the retirement of v3.2.1 set for March 31, 2024, the clock is ticking. You must be ready to assess against v4.0 starting April 1, 2024. That's just a couple of quarters away, and some of the changes to the DSS are substantial.

So, what are some of those changes and what will we cover in this blog series? Here's a snapshot of what to anticipate:

The Customized Approach

This is a brand-new concept in the standard. No longer are you limited to the PCI Security Standards Council's prescriptive approach (now known as the Defined Approach). For the Customized Approach, you must still meet the intent of the requirement but with your own methods or tools. Using the Customized Approach involves significant work that must be done by the merchant or service provider.

Are you deciding between the Customized Approach and the Defined Approach? In the majority of cases, the Defined Approach will be a better fit, and we'll help guide you through that decision.

New Requirements

PCI DSS v4.0 brings a whole suite of fresh requirements — 53 for merchants and 11 for service providers. That's a lot.

Of the new requirements, 13 will need to be in place by March 31, 2024, while 51 have a deadline of being in place by March 31, 2025.

In our blog series, we'll delve deep into the types of evidence that QSAs will need to see for the more complicated new requirements.

Other Changes

Our exploration won't stop there. Here's what else is on the agenda of our PCI DSS v4.0 blog series:

  • Authenticated vulnerability scans
  • Payment page change-and-tamper-detection mechanism
  • Multi-Factor Authentication (MFA)
  • Access Review
  • Targeted Risk Analyses
  • Inventories
  • And so much more!

As you can see, we've got plenty to share with you. Our commitment is to help make your transition to v4.0 a little easier. Should you find yourself with questions or in need of strategic insights, just give us a call at 503-697-4118 and ask for Spencer, David, or Debra, or reach out online.

March 31, 2024, is coming.