PCI-DSS v4.0 has been a long time coming, and now its release is fast approaching. What do you need to know, and will your company be ready? October’s Global Community Forum revealed key details about the release of the latest version of PCI.
The conference dedicated a session to providing a preview of coming attractions. Presenters talked about what’s coming with v4.0, gave a sneak peek into some new PCI DSS requirements, and revealed how the Report on Compliance Template, Attestations of Compliance, and merchant self-assessment approach are evolving.
Here’s a quick breakdown of the things you need to know right now.
Related: Check out our podcast episode on PCI
Release Dates for PCI 4.0
PCI v4.0 has been submitted through multiple rounds of commentary and input. The next step is to release 4.0 to Assessors and participating organizations in January 2022. The formal public release is slated for March (exact date is still unknown). The purpose of the preview period is to give stakeholders additional time to familiarize themselves with version 4.0 of the standard before it’s officially launched.
The plan is to release public reporting and documentation several months later, with training for Assessors to support PCI DSS v4.0 is targeted for June 2022.
Self Assessment Questionnaire Overhaul Isn’t Part of 4.0 Initial Release
Some of the expected changes will be coming in a later release. Specifically, this includes the inclusion of a new approach for SAQs leveraging a Merchant Assessment Form (MAF). The committee decided to hold off on making and implementing those updates, because there were just too many people that had questions and open items requiring resolution. Instead, we’re expecting updates to the SAQ and associated AOC documentation initially.
The adjustments they were going to make to the self assessment questionnaire process, and contemplation of the MAF implementation, are likely to be released as a subversion later in 2022.
Adoption Deadline for PCI 4.0
Whenever PCI is updated, there’s a period of time when the existing standard and the new standard operate simultaneously. During that time, you can confirm your compliance against either version. But there’s a deadline when you can no longer use the previous version and the new one is enforced.
That adoption deadline has been pushed back. Typically, the new version of PCI is enforced two years after the release date. In this case, the committee decided to extend it another year, to 2025.
Planning Your Transition to PCI 4.0
Having a three-year window begs the question, when should you convert to PCI 4.0? It comes down to the present state of your organization against the new standard. How well do you already fit the new set of requirements, and what will it take for you to confirm compliance with PCI 4.0?
As soon as the update is released, get familiar with PCI v4.0. Get to know the new elements and see if you have coverage for them already so you know how your organization stacks up against the new standard.
The decision to go up against 4.0 depends on your organization’s circumstances, and the decision process is fairly complex. A lot of it depends on your annual recertification date. If your recertification happens in Q3, you’ll only have a few months to prepare. In that case, it probably makes more sense to go up against version 3.2.1 in 2022 and switch to 4.0 in 2023.
Generally, it’s best to make the switch as soon as you can without killing yourself in the process. The closer you get to the adoption deadline, the more pressure you’ll face to be in compliance with the new version of PCI. If you’re a service provider to organizations, your clients will certainly want you to be compliant with the new standard as soon as possible to support their compliance efforts.
TCT Portal Helps with the Heavy Lifting
If you’re already using TCT Portal, you’ll be glad to know that the mappings from 3.2.1 to 4.0 will be automatically implemented for you. The migration of data from a 3.2.1 track to the 4.0 will be very straightforward. TCT will assist our clients with the migration process as soon as we have the 4.0 tracks established, and the mapping process in place.
If you’re using spreadsheets or a homegrown system to manage compliance, you’ll need to go in and retool your entire system. In essence, you’ll be working double-time as you get your organization ready for the new PCI requirements while also overhauling your compliance management tooling. If you’re leveraging the home grown systems of your existing Consultant or Assessor, you’ll be waiting on their resources to conclude their staging for 4.0.
If you dread the mere thought of facing that, you can avoid all of the toilsome manual labor or waiting. TCT Portal comes with everything you need to transition to PCI 4.0. You won’t have to lift a finger to update your compliance management system. And TCT Portal is priced to make your purchase a no-brainer.
We’re less than six months away from the public release of PCI v4.0, and that time will fly by before you know it. Count on TCT to keep a finger on the pulse of events and to keep you informed of the details you need to know.
Have questions about preparing for PCI 4.0? We’re here to help. Contact us today.