It was a whirlwind of 3 days of video presentations and key note speakers. Rolling with the changes brought to the world by a global pandemic, the PCI Security Council put on an excellent worldwide community gathering. 

Here are my 8 takeaways. Buckle up folks…PCI DSS v4.0 is coming!

  • Passwords requirements are changing and none too soon. If you haven’t moved away from the 7 minimum alpha/numeric characters in requirement 8.2.3, now is the right time. Passwords are moving to 12 characters. 
  • As evidence by the rise of e-commerce fraud happening in this space, there will be more e-commerce controls. 
  • It’s long overdue but in version 4.0, merchants will need to have access controls around system accounts.
  • Near and dear to my heart — SCOPE is *finally* not just a definition! Merchants will be required to provide accuracy of scope annually and upon significant change. At Payment Card Assessments, we have best practices around scope that if you are following what we recommend, this upcoming change won’t have a significant impact on your PCI Compliance program. If you need help getting your arms around what’s in scope for your organization, call us. We can help you make sense of your scope.
  • There will be flexibility in how requirements are assessed BUT (and it’s a big but), this flexibility is for merchants with a mature PCI DSS Compliance program. The “customized” approach to assessing requirements supports innovation and risk mature merchants. The traditional method of assessing compliance will remain as well as compensating controls in the event a merchant can’t meet the requirement due to valid business or technological reasons.
  • PCI DSS v4.0 will be released to the public in March 2022. And that feels like yesterday. 
  • The v4.0 timeline accommodates future dated requirements. Merchants will have time to either remediate or implement. Don’t wait until the last minute. Get in front of future dated requirements as quickly as possible.
  • There will be more documentation. A lot more. 
    • More FAQs
    • More guidance docs
    • Updated methods and procedures
    • Streamlined attestation documents
    • Customizable cover pages for the Report on Compliance

What You Can Do Right Now To Prepare for PCI DSS v4.0

  • Take our PCI Compliance Maturity Assessment to find out your current level of maturity. Depending on your rating, you may need help getting your current PCI DSS Compliance program up to par. We can help.
  • If your PCI DSS Compliance program is robust and mature, keep doing what you’re doing. Maintain your continuous compliance model and begin preparing to complete a gap assessment beginning in April 2022. Payment Card Assessments can help with your v4.0 gap assessment.

Our 2022 PCI dance card will fill up fast. Now is the time to schedule a call and see if we’re the right partner in PCI for you.


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading