The great divide of PCI DSS v4.0: Merchants, are you ready?

The release of PCI DSS 4.0 in early 2022 was much anticipated, and most merchants have already begun the process of preparing for this shift. Along with this release came two significant dates to be aware of. Understanding these dates is vital to establishing or maintaining compliance with the PCI DSS:

• March 31, 2024 – All reporting templates prior to 4.0 are no longer to be used.
• March 31, 2025 – All the “future dated” requirements must be included in all assessments.

It might be tricky to gauge when to make the leap into the new version of the DSS over the next couple of years. Everyone will have unique needs, and our advice is to ensure you are engaging with your QSA earlier than usual to plan for these changes and ensure your acquirer is aware of your plan as necessary.

Knowing the implications is key. Planning for the changes as early as possible is critical.

Understanding the dates

The first date, March 31, 2024, is the stop date when reports on compliance (ROCs) and self-assessment questionnaires (SAQs) will no longer be accepted on the PCI DSS v3.2.1 templates. Conducting a PCI DSS 4.0 assessment, excluding future dated requirements, is approximately 20 percent more involved due to the significant complexity added by certain requirements.

Coalfire has taken feedback to the PCI SSC and the payment brands via our representation on the Global Executive Assessor Roundtable, as our clients are raising concerns about the impact of some requirements.

We expect to see rising costs from third-party vendors (to offset their own compliance costs), assessment costs increases for entities that must update their security controls or don’t leverage compliance automation, and more effort required for self-assessments.

The second date, March 31, 2025, is when all merchants and service providers must demonstrate compliance with the future-dated requirements in PCI DSS 4.0.

These requirements are marked as “best practice until 31 March 2025” in all version 4 standards, templates, and summary of changes documents, which can be downloaded from the PCI SSC document library. Despite the longer timeline, planning for the new requirements should be taken into consideration as soon as possible, since new technology or changes to existing systems may be required.

Organizations planning to finish their assessments report on the cusp of either deadline might run into roadblocks that could impede meeting these deadlines. A few scenarios affecting complexity and cost are:

• If your assessment is planned to begin within three months of the deadline, or if unexpected delays arise causing the assessment to complete after the deadline, the assessment must be migrated to version PCI DSS 4.0 and/or include the future-dated requirements.
• The sunset of the PCI DSS 3.2.1 framework is based on your completion date, not your start date, regardless of the reason that the ROC is completed after March 31, 2024.

Plan your transition

Planning accordingly will minimize any rework by your staff or your QSA. Suggestions to plan for the upcoming transition include:

• Tackle the change head-on. Perform a self-assessment or have a readiness assessment performed to gauge whether you are ready to move forward with the new standard. PCI DSS 4.0 requires much more documentation than before. Take time to review the requirements with your internal subject-matter experts, or engage a knowledgeable third party, such as Coalfire, to perform a readiness assessment. This will ensure you understand the changes, are addressing the updated requirements, and have the necessary documentation ready for your next assessment. This will help you get a head start on any problematic areas.
• Request to move up your filing date. If your start and finish date straddle the March 31, 2024 deadline, you could approach your acquirer with a request to move your filing date earlier and thus avoid the risk—and rush—of the 2024 deadline. Typically, merchants strive to push audit activities out of the fourth quarter due to busy holidays, but it might make sense to seek permission from your acquirer to pull the assessment period into the first quarter of 2024 to fall cleanly on the 3.2.1 side of the dividing line. This also takes advantage of a slower first quarter and allows for one extra assessment under version 3.2.1, as well as an extra cycle to implement the future-dated requirements (by ensuring your next assessment is performed before March 31, 2025).

Leverage Compliance Essentials

As noted earlier, without compliance automation, the transition could be more costly in both preparation and assessment. Coalfire has specifically designed Compliance Essentials to help customers manage their compliance programs prior to the assessment, including transitioning to new frameworks.

It even goes one step further to offer automation capabilities for those running on cloud infrastructure platforms such as AWS, GCP, and Azure or using cloud offerings for Identity and Access Management. Merchants can now automatically collect required evidence, map evidence to each requirement–even between the old and new standard or across multiple frameworks–and enter the assessment with their artifacts ready for assessor review.

Compliance Essentials is a great way to ensure you understand the requirements and get ahead of any future changes that may impact your compliance.

Whatever approach you use, planning and preparation are essential to avoid additional costs, reduce frustration, and manage risk associated with this change.