NEWSLETTER
February 02, 2023
With the release of the PCI DSS v4.0 standard Protocol Policy Systems initiated an upgrade exercise for IT Policy Management as a Service to reflect the changes.
PCI DSS v3.2.1 will be retired as at 31 March 2024 at which point PCI DSS v4.0 will be the only active version of the standard. PCI DSS v3.2.1 is valid until 31 March 2024 to allow organisations time to understand the changes in version 4.0, update their templates and forms, and apply the necessary changes to meet the new requirements. By 31 March 2025 organisations must also implement those new requirements identified as best practices in v4.0.
Several changes have been incorporated across the 12 requirements sections of the latest standard.
The PCI Security Standard Council state 4 goals they wish to achieve as a result of releasing v4.0.
Goal 1 - Continue to meet the needs of the payment industry.
Security practices must evolve to meet the needs of the industry as threats change.
Some examples of changes in V4.0 are:
- New updated multi-factor authentication requirements.
- Updates to password requirements.
- New e-commerce and phishing requirements added to address ongoing threats.
Goal 2 - Promote security as a continuous process.
Ongoing security is crucial to protecting payment data from criminal activity.
Some examples of changes in V4.0 are:
- Assigned roles and responsibilities in place for each requirement.
- Guidance added to assist people to better understand how to implement and maintain security.
- New reporting options to improve transparency for report reviewers and highlight areas for improvement.
Goal 3 - Increase flexibility for organisations using different methods to achieve security objectives.
Increasing flexibility introduces more options to achieve a requirement’s objective and supports the further innovation of payment technologies.
Some examples of changes in V4.0 are:
- Group, shared, and generic accounts with exceptions are allowed.
- Targeted risk analyses introduced to help organisations determine the frequencies for performing certain activities.
- A new customised approach method introduced to implement and validate PCI DSS requirements, giving an organisation another option for using innovative methods to achieve security objectives.
Goal 4 - Enhance validation methods and procedures.
Enhancing validation methods and procedures with validation and reporting options supports transparency and granularity.
Some examples of changes in V4.0 are:
- Increased alignment between information reported in a Report on Compliance or Self-Assessment.
- Questionnaire and information to be summarised in an Attestation of Compliance.
If you have an existing suite of IT policies that you have written in-house then they will need to be reviewed. Based on our assessment of the new requirements there is quite a lot of work to be done by affected customers, for example drafting new content and checking that existing content is in alignment with V4.0.
The “new” content (additions or modifications) will comprise of several new best practice statements as well as modifications to existing best practice statements. This is because there are 51 new requirements included for all entities, and 13 new requirements included for service providers (64 in total) in v4.0 as well as several clarifications and rearrangements applied to the existing requirements.
The good news for customers of IT Policy Management as a Service is that we take care of the heavy lifting for you. An online questionnaire will be made available so that you can assess the level and impact of the changes. New policy content will be made available from our policy management software library of best practice statements. Options will be available to select any recommended new best practice statements you wish to add to your existing policies with the ability to apply edits where required.
PROTOCOL POLICY SYSTEMS
Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233