Site icon

Timeline for PCI DSS 4.0 Compliance – First Steps

PCI DSS 4.0 prep featured

As we’ve been writing, PCI DSS 4.0 is upon us. We’ve discussed some of the broader changes around the newer versions, but we have yet to dig deeper into the timeline for version 4.0.

This article will discuss the preliminary steps you can take to prepare for the update. With a focus on understanding your IT infrastructure and the impact of the regulations on how you can use it, you can start to get your feet wet with the new standards and some of the curveballs they might throw at you. 

 

What Is PCI DSS 4.0?

Not to get bogged down in the specifics, PCI DSS 4.0 is the latest update to the PCI DSS standard that has been long in the works. After a few timeline adjustments over the past few years, we’re finally moving past the older version 3.2.1 for a more modern set of standards that can address new technologies like cloud-driven eCommerce and mobile device security. 

Some of the major changes in PCI DSS 4.0 include:

Many of these changes are layered; some are immediate requirements for version 4.0 certification, and others are considered best practices until their full implementation later.

 

Timeline for PCI DSS 4.0 as of Third Quarter 2022

The basic timeline for PCI DSS 4.0 right now is relatively straightforward but sets a horizon for the setting sun on version 3.2.1:

 

How Are Businesses Preparing for this First Phase?

It’s important not to get stuck on the idea that, because it is early, there is plenty of time to get ready. It’s always preferable to work on something while there is time available to get it right, rather than working with a deadline you can’t meet because you waited too long to implement changes. 

In these earliest stages, there are a few clear steps to take to get your business ready. These include:

 

Inventory Affected Infrastructure

One of the core requirements of PCI DSS is for your business to create and maintain an IT infrastructure inventory that handles protected cardholder data. This includes servers, workstations, networking infrastructure, mobile devices, removable storage, employees, and third-party vendors. 

To support businesses creating their PCI inventory, the PCI Security Standards Council released a scoping document and aid in 2016. This document is the latest version of such an aid and still stands as a useful reference until (or if even) a newer version is published.

Determine Your Business Type with the Self-Assessment Questionnaire

Depending on your business type and the types of payments you accept, you are eligible to complete a Self-Assessment Questionnaire (SAQ). 

 

Decide on Standard or Customized Approaches

Highly customized approaches can allow plenty of flexibility for an enterprise at the cost of having a highly unique infrastructure that isn’t easily slot into the defined PCI DSS standards. 

Generally speaking, a good rule of thumb for customized approaches is:

Line Up with an Auditor

You’re going to work for an auditor for your annual validations–even if you fall into a category where you can provide ongoing self-assessments, a skilled and experienced auditor can ensure that you are not only meeting the minimum requirements but that you are prepared to continue down the road to PCI DSS 4.0 compliance. 

 

Stay PCI Compliant with Lazarus Alliance

We work with hundreds of companies that, in one way or another, handle credit card data. They know that, for the protection of customer data and their reputation, as well as their ability to do business, that stay compliant with the latest version of the PCI standards. 

If you’re ready to kick start your path to PCI DSS 4.0 compliance, the Lazarus Alliance is the experienced security firm to support you the entire way. 

 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version