The new PCI DSS v4.0 has arrived

31 March saw the long-awaited launch of PCI Data Security Standard v4.0. Having been developed over the last few years, with much collaboration with members of the card payment industry, the launch of the new standards was delayed from autumn last year due to the pandemic.

A lot has changed since the original standards were created in 2004, with the most recent update taking place in 2015. Major developments in payment channels, smart devices, and open banking as well as new legislation including Strong Customer Authentication (SCA) and GDPR have completely changed the payment landscape and eco-system for consumers as well as businesses.

What is different about PCI DSS v4.0?

The standards have been revised to better align with the developing nature of the payments industry and the fast-changing behaviours and threats posed by cyber criminals. The main aims of PCI DSS v.4.0, compared to previous versions, are:

  • To meet the security needs of the payment industry – expanding requirements to implement multi-factor authentication (MFA) and to update password requirements for all access into the cardholder data environment.
  • To promote security as continuous process– with clearly defined roles and responsibilities to address each of the standards.
  • To add flexibility for different methodologies – to increase flexibility for organisations using different methods to achieve security objectives, adopting payment technology innovation.
  • To enhance validation methods and procedures – making the process of reporting on compliance easier and more transparent.

What does your business need to do to comply with new PCI DSS v4.0?

Many businesses opt for self-assessment when it comes to PCI compliance. For those businesses that handle this process internally, the onus will be on them to ensure that their card payment systems adhere to the new standards, which may require technical expertise depending on resources available. The good news is that the PCI SSC are allowing time for organisations to get to grips with the changes and implement updates, with existing standards remaining active and running concurrently with v.4.0 until March 2024.

For businesses that have chosen to outsource their card processing to a third-party Service Provider (like PCI Telecom), the process is a lot more simple. The service provider, with responsibility for PCI compliance, will update their systems accordingly, in line with the new standards, with little input and resource required by the business.

At PCI Telecom we create card payment processing solutions that meet the needs of your business, whatever its size and budget. Our solutions are cloud-based so there’s no need for expensive equipment, and they can be used for all card-not-present payment channels including over the phone to a live agent, via auto IVR, online and webchat. Most importantly, our solutions are PCI DSS v.4.0 ready, with end-to-end encryption, so you can rest in the knowledge that your payment process is always adhering to the guidelines, even when changes are made to them, and protecting the business and your customers from cyber-attack and data breach. Find out more by visiting our Solutions page or get in touch with us here.