PCI DSS Update 4.0

Many organizations that use points of sale and e-commerce must continually deal with external and internal threats (criminal organizations and cybercriminals) that seek to extract personal cardholder data. Additionally, technological advances and changes in the payments industry make it necessary to constantly update the standard, which can also be considered as a regulation.

The latest adjustment (to version 3.2.1) of this standard occurred in 2018. However, in recent years, the use of technological infrastructure optimization alternatives, such as the cloud, have brought new challenges to the protection of cardholder information.

As a result, in March 2022, the Payment Card Industry Security Standards Council (PCI SSC) decided to update the PCI DSS standard to version 4.0, to:

• Ensure that standards continue to meet the security needs of the payments industry
• Increase flexibility to support different methodologies that are used to confirm payment security
• Promote security as an ongoing process for cardholders
• Improve the validation methods of security related procedures

It is important to note that version 3.2.1 will remain in operation until March 31, 2024. Therefore, if an organization intends to keep using this version, it can do so until that date, but it must prepare and adapt to the new standard.

In consequence, during the transition period to update 4.0, two versions of the PCI DSS standard will remain active during 2023 and 2024. The goal of the transition period is to allow businesses to create a strategy to adapt to the best practices and plan any controls they need to implement until only version 4.0 is active.

It must also be noted that, once version 3.2.1 is removed, there will be a period of adaptation to 4.0, so the best practices will remain in force until March 31, 2025, and on April 1, 2025, the best practices will become mandatory requirements for organizations. We need to keep in mind that PCI DSS is a global standard that applies to different shops and/or suppliers around the world, so this security regulation will become standardized on that date.

At Mazars, we can help you with a variety of PCI compliance services. Contact us and we will find an alternative for you and your business.