If your business collects, stores, or processes data, there is a framework that was written to specify exactly how you are required to protect it. For example, social security numbers are covered by your state’s data protection regulations, protected health information is covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH), and controlled unclassified information (CUI) is covered by the Cybersecurity Maturity Model Certification (CMMC). If you are a business that processes credit or debit card transactions, you are now in the realm of the Payment Card Industry Data Security Standards (PCI DSS).
Since the release of version 4.0 of the PCI standards in March 2022, companies have been working towards familiarizing themselves with the new requirements they need to meet. To help with this journey, the following guidance will provide you with an overview of the standards, why you should adhere to them, what’s new in the latest version, and when it is going into effect. Being armed with this knowledge will help your business navigate these requirements and clear your path towards compliance with PCI DSS.
- What is PCI DSS?
- The Payment Card Industry Data Security Standard (PCI DSS) is a collection of security standards designed to ensure that every organization that accepts, stores, processes, or transmits credit card information maintains a secure environment.
- The standard is administered by the Payment Card Industry Security Standards Council (PCI SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB).
- The standards are applicable to any organization, regardless of size or number of transactions, that accepts, stores, processes, or transmits any cardholder data.
- A copy of the standard as well as all supporting documentation can be found on the PCI SSC website’s document library.
- What are the benefits of being compliant with PCI DSS?
- While there are many benefits to being compliant with the standard, here are some of the key advantages:
- Letting your clients know you are compliant demonstrates that you care about the security of their payment information, which in turn builds loyalty and strengthens your reputation.
- The likelihood that a data breach of credit card information happens will be significantly reduced by meeting the requirements of the standard.
- Should an incident occur, the resulting impact (as well as the associated fines and penalties) will be greatly reduced if the standard has been met.
- By meeting the standard, you are also meeting the needs of other data security baselines for regulations such as the Sarbanes–Oxley Act (SOX) and General Data Protection Regulation (GDPR).
- While there are many benefits to being compliant with the standard, here are some of the key advantages:
- What are the changes in version 4.0 of PCI DSS and how will it impact the compliance process?
- Version 4.0 of the standard includes more than 200 changes from version 3.2.1 of the standard. Here is just some of the changes you will find in the latest version:
- A customized approach is now available for mature organizations to implement and validate PCI DSS requirements, providing them with an alternative and flexible means to achieve their security goals.
- Expanded multi-factor authentication requirements for all access to the cardholder data environment (CDE), not just for administrative and remote access.
- Updated password requirements, including an increase from the minimum length from seven characters to twelve.
- User access privileges must be reviewed every six months.
- Greater focus on controls related to mitigating spear phishing attacks.
- Version 4.0 of the standard includes more than 200 changes from version 3.2.1 of the standard. Here is just some of the changes you will find in the latest version:
- Why are the requirements being updated and when is version 4.0 going into effect?
- As payment methods and related technology and threats evolve, the related standards also need to be updated to reflect these changes. When version 1.0 of the standards was released in late 2004, the methods of accepting payment cards were far more limited than today’s options. Six years later, in 2010, version 2.0 was released, followed by 3.0 in 2013. Since then, periodic updates have been released (e.g., 3.1, 3.2, 3.2.1), leading to the latest major release that was unveiled in 2022: PCI DSS 4.0.
- The previous iteration of PCI DSS, version 3.2.1, will remain active through March 31, 2024, at which time businesses will be required to validate compliance with version 4.0 of the standards. Businesses will have until March 31, 2025, to meet the future-dated requirements of the standards that are considerably different from version 3.2.1.
Meeting the requirements of the latest version of PCI DSS is no small undertaking, so it is imperative that your organization start preparing for it now. Citrin Cooperman can provide you with the resources and specialists you need in order to achieve PCI DSS compliance in an efficient and effective manner.
To get started, speak to a member of our Cybersecurity Practice today or contact Kevin Ricci at kricci@citrincooperman.com.
Related Insights
All InsightsOur specialists are here to help.
Get in touch with a specialist in your industry today.