The payment security environment is continually challenged by new threats, more so now than ever before.
To combat this, the PCI council have released a new version of controls. Version 4 was released on 31st March 2022 and will replace version 3.2.1 in full by 31st March 2024. The current version (3.2.1) was reviewed by key stakeholders, including qualified security assessors (QSAs), organisations and merchants, to factor in key industry changes and ensure the standard remains relevant.
What does the new version mean for your organisation?
There are two critical points that will require action following the release of version 4.
The first, is to maintain the controls that your organisation has in place. The existing version 3.2.1, which has been around since 2018, is still a valid standard to comply with and be assessed against. This version (3.2.1) will then be retired as of 31st March 2024, requiring all assessment activity to be conducted against version 4.0 from this point forward. Note any of the new future dated evolving controls need to be operational by 31st March 2025.
The second, is that QSA’s are not able to assess your environment until they have been trained and successfully passed the version 4.0 exam, due to start from June 2022 onwards.
What will change under the new controls?
From an assessment approach there are now two different methods defined and customised.
The continuation of the “Defined” control assessment method which is how all assessments (RoC or SAQ) have been conducted against since the introduction of the DSS.
The second method is the introduction of the “Customised Approach”, a new method of assessment. This means that an organisation only has to assess the controls that apply to their environment.
The customised approach focuses on the objective of each PCI DSS requirement, allowing entities to implement controls to meet the requirements in a way that does not strictly follow the defined requirement.
As each customised implementation will be different, there are no defined testing procedures. Therefore, the assessor is required to derive testing procedures that are appropriate to the specific implementation to validate that the implemented controls meet the stated objective.
An entity can also use a mixed approach for their assessments which combines controls from both the “defined” and “customised” methods for assessing their compliance to PCI DSS.
There are 64 new controls in version 4.13 of the new controls are applicable immediately if you are being assessed against version 4, and 51 of the new controls are evolving to be effective from 31st March 2025. It should also be noted that once an organisation is assessed against version 4 then the new versions of the RoC template and SAQ’s forms must be used.
What we advise you to do now
- Get a copy of the Version 4.0 DSS
- Review the evolving controls and how they may affect your business processes and assessment needs
- Review what existing controls will need to be changed to prepare for version 4.
If you need help and support moving from 3.2.1 to version 4 then contact bd@gemserv.com.