Changing PCI Compliance Standards for eComm Retailers: What You Need to Know

Need to Know 

• As of April 1, 2024, the PCI DSS 4.0 standards have become best practices for processing credit card transactions, with 51 new requirements slated to become mandatory by March 31, 2025.
• Key changes in PCI DSS 4.0 include the necessity for enhanced security documentation, better internal assessments, frequent hardware and software reviews, multi-factor authentication, automated log monitoring, and improved key and certificate management.
• The time gap is meant to help organizations ease the transition by prioritizing urgent updates and devising a plan with timelines for system assessments.
   

If your business processes credit card transactions, you must comply with the new Payment Card Industry Data Security Standard (also known as PCI DSS 4.0 standard) as of April 1, 2024.

With hefty fines for those who don’t make the necessary updates, and even more changes planned for 2025, it’s essential for all organizations with an eCommerce element to have a compliance strategy in place.

Keep reading to learn what PCI compliance entails, what’s changed in the latest iteration of the standard, how to start implementing the changes, and to get a timeline for future impending updates.

What is PCI DSS compliance?

The Payment Card Industry Security Standards Council (PCI SSC) sets the requirements merchants and businesses need to follow in order to securely process and store customer information for credit card transactions.

In order to decrease the instances of fraud and the chance of data breaches, organizations must follow the global technical and operational specifications set out by the Council in the Payment Card Industry Data Security Standard (PCI DSS). 

Adherence to the PCI DSS constitutes a contractual agreement between the enterprise and the financial entities that facilitate relationships with merchants.

The changes to the latest iteration of this standard, the PCI DSS 4.0, are meant to protect cardholder data by keeping pace with new types of threats that have emerged due to the continuous evolution of payment technologies.

How has the standard changed with the release of PCI DSS 4.0?

PCI DSS 4.0 introduces 51 new requirements, which will become mandatory on March 31, 2025. 

The updates mirror the ways technology, consumer habits, and payment methods have changed over time, and as a result, the revised standards contain numerous updates aimed at addressing emerging risks within the payment card industry.

Some of the most significant changes include the need for:

Improved security documentation and response

PCI DSS 4.0 mandates that every business processing credit card payments must quickly discover and respond to failures of critical control systems.

Organizations will also need to conduct security awareness training to teach employees about potential vulnerabilities and threats, proactively protecting cardholder data from phishing and other socially engineered cyber attacks. 

Additionally, IT teams will need to conduct a security awareness program at least once every 12 months, making updates as needed.

Better internal assessments

Organizations will be required to conduct targeted risk analyses to determine how frequently periodic log reviews should be conducted for system components, and how often incident response personnel need to participate in training. 

More frequent hardware and software reviews

The standards require a software and hardware review at minimum once every 12 months to ensure that businesses are using the most up-to-date technologies. 

Required multi-factor authentication and passwords

In order to build on authentication requirements, the new standards mandate multi-factor authentication for all users accessing cardholder data, extending beyond administrators. 

Additionally, password length requirements have been raised from 8 to 12 characters. 

Furthermore, organizations now have the flexibility to utilize dynamic analysis to automate access to resources, rather than mandating password rotation every 90 days.

Automated log monitoring

Constant system monitoring is now mandatory to promptly detect and address any potential security breaches.

Improved key and certificate management

The revised standard requires organizations to maintain a comprehensive inventory of key custodians, cryptographic keys, and relevant expiry dates. 

Additionally, organizations must manage an inventory of certificates, including issuance authority, date, and validity period.

What are the key dates for the PCI DSS 4.0 standards to come into effect?

March 31, 2024 marked the retirement of the previous version of the PCI standards (PCI DSS 3.2.1), and compliance with PCI DSS 4.0 became a recommended best practice. After March 31, 2025, they will become mandatory.

This transition period allows organizations the time to implement upgrades to their technology or processes as necessary.

How should organizations respond to the PCI DSS 4.0 changes?

To begin your transition to PCI DSS 4.0, start by checking out the detailed breakdown of what’s changing on the PCI Security Standards website.

Next, you’ll need to identify the updates that your business will require first. Many of the new requirements won’t come into effect until 2025, so it’s a good strategy to prioritize updates based on their urgency. 

Using this information, you should be able to put a rough plan together with timelines for system assessments, updates, and implementations. 

If you identify the need for any platform updates or additional configurations once you’ve defined your compliance plan, don’t hesitate to reach out to our Northern experts for assistance.