Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements designed to safeguard cardholder data and ensure secure transactions. Any business processing online transactions must comply with this standard. Compliance with PCI DSS is not just a regulatory necessity but also a crucial step in building trust with customers and avoiding costly data breaches.
There are many facets of compliance involving your payment processor, your eCommerce technology, and the credit card companies themselves. While the scale of your business defines the exact extent of your responsibilities, it is critical for all online businesses to understand how best to meet their compliance requirements.
With the release of PCI DSS version 4.0, businesses must adapt to new and enhanced security measures to stay compliant. This updated standard aims to address emerging security threats and technological advancements while also providing greater flexibility in achieving compliance. This article will guide you through the key changes in PCI DSS 4.0, focusing on practical steps for achieving compliance, especially for those businesses in the SMB space.
The PCI DSS compliance framework classifies merchants into different levels based on their annual transaction volume. Each credit card processor—such as American Express, Visa, and Mastercard—sets specific criteria for these levels, which generally increase in requirements as the transaction volumes grow.
In a typical eCommerce website's PCI DSS compliance, several entities play crucial roles. It is often the case that the merchant’s role could be quite small compared to that of the other players. Here’s a breakdown of the key players involved:
All these entities must work together to ensure that the entire payment ecosystem is secure and compliant with PCI DSS standards.
While each credit card organization has its own specific classifications, here we present those used by American Express to give a general idea of where your business might fall. For reference, these details come from American Express’ Digital Security Operating Policy.
As transaction volumes increase, the level of scrutiny and the number of security controls required also escalate. Higher levels demand more rigorous security measures and more frequent validation checks to ensure the protection of cardholder data. This tiered approach helps tailor compliance efforts to the risk associated with the volume of transactions processed, ensuring that businesses with higher transaction volumes implement more stringent security protocols.
By understanding these levels and their corresponding requirements, your business can better prepare their compliance to ensure they meet all necessary criteria to protect their customers' payment information effectively.
PCI DSS 4.0 introduces several key changes designed to enhance security and provide more flexibility for businesses in achieving compliance. These changes are crucial for maintaining a robust security posture in an evolving threat landscape.
While many of these requirements will fall upon your payment processing solution provider, it is important for merchants to obtain verification of their compliance while also ensuring their own internal systems are similarly protected.
To accommodate the diverse range of businesses and their unique security environments, PCI DSS 4.0 provides greater flexibility in how compliance objectives are achieved. This includes allowing businesses to use customized approaches to meet the standard's security objectives, provided they can demonstrate that these methods are as effective as the prescribed controls.
As described above, your transaction volume will define the requirements that apply to your business. No matter what your classification, it is your responsibility to work with your selected technology and service providers to validate your comprehensive compliance.
PCI DSS 4.0 emphasizes the need for continuous compliance rather than periodic validation. This shift is designed to ensure that security controls are maintained and monitored on an ongoing basis, helping businesses to detect and respond to security incidents more effectively. Continuous compliance includes regular security assessments, real-time monitoring, and automated tools to manage and report on compliance status.
For Level 3 and 4 merchants — businesses processing between 20,000 and 1 million eCommerce transactions annually (Level 3) or fewer than 20,000 eCommerce transactions annually (Level 4) — the updates in PCI DSS 4.0 bring several specific implications and requirements.
For the purposes of this article, we consider Small to Mid-sized merchants to fall into the level 3 and 4 classifications (as point of reference with the Amex criteria, this is businesses with no more than 50,000 American Express transactions in a given year). While PCI DSS assessment and reporting requirements for SMBs may or may not be deemed mandatory by the credit card processor, the liability of compliance still remains. As the American Express DSOP explains:
Important Note: For the avoidance of doubt, Level 3 and Level 4 Merchants need not submit Validation Documentation unless required in American Express’ discretion, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy.
For this reason, it remains important to understand some of the recommended steps to validate compliance.
An annual Self-Assessment Questionnaire (SAQ) helps businesses assess their compliance with PCI DSS requirements without the need for a full on-site audit. PCI DSS 4.0 includes updated SAQs that reflect the new requirements and provide more detailed guidance on how to achieve and document compliance.
Quarterly network scans by an Approved Scanning Vendor (ASV) help identify vulnerabilities in the network that could be exploited by attackers. PCI DSS 4.0 emphasizes the importance of these scans and requires that any identified vulnerabilities are promptly addressed and mitigated.
While rarely required for level 3 or 4 businesses, the annual compliance validation may be a requirement for specific businesses in specific industries. Annual compliance in regards to PCI DSS 4.0 involves completing the relevant SAQ, conducting necessary scans, and maintaining thorough documentation of compliance efforts each year.
By understanding and implementing these changes, Level 3 and 4 merchants can better protect their customers' cardholder data, enhance their security posture, and ensure compliance with the latest PCI DSS requirements. This proactive approach not only helps in avoiding penalties but also builds trust with customers, ultimately contributing to the business's success.
Transitioning to PCI DSS 4.0 involves understanding and adhering to several key dates and deadlines. This section outlines important milestones and suggests a phased implementation approach to help businesses ensure timely compliance.
PCI DSS version 4.0 was published on March 31, 2022. To allow organizations sufficient time to transition from PCI DSS version 3.2.1 to 4.0, the Payment Card Industry Security Standards Council (PCI SSC) provided a transition period.
PCI DSS version 3.2.1 was retired on March 31, 2024. As of this writing, all organizations must fully comply with PCI DSS 4.0 requirements.
That being said, some new requirements introduced in PCI DSS 4.0 are considered best practices rather than requirements until March 31, 2025. After this date, those best practices become mandatory requirements. This phased approach allows businesses to gradually implement the new controls while continuing to meet current compliance obligations.
For businesses seeking expert guidance in the area of PCI DSS, there are a number of specialized firms or individuals that can help review PCI DSS requirements that are specifically relevant to your business. Further, many of these consultants can provide services to ensure applicable requirements are adequately met. Services typically include risk assessments, compliance audits, and security policy development. Without endorsement for any particular company, here are a few we are aware of: Trustwave, ControlScan, SecurityMetrics.