PCI DSS v4: changes, innovations and requirements


Every company, institution or business working with sensitive or confidential data of their clients should be primarily concerned with their security and safety. It is notably important when the issue includes money as well as financial security. In a modern understanding, it means bank accounts, credit cards and, first of all, the system of users’ personal data protection.

Therefore, various means of protection appear, which raises the question of certification, standardization and systematization. This is how PCI DSS was invented and spread all over the world. Even though it is a well-known term, you may ask a natural question: “What is PCI DSS compliance?”, as many things which are a daily matter may be hidden from the naked eye.

To put it briefly, PCI DSS (Payment Card Industry Data Security Standard) is an international security standard which points out how protected the data used for transactions or any other banking operations is. 

PCI DDS creates a lot of troublesome work for organizations which try to meet its requirements. It also includes many vital aspects, for instance, such as how to choose the right PCI compliance software vendor. Moreover, it is essential to keep up with the innovations and changes in the requirements of PCI which are introduced almost every year. 2022 is not going to be an exception. This article tries to guide you through PCI DSS v4.

It is worth starting with good news which is the fact that companies don’t have to upload a new version in a period of one year. It must be done by the year 2024. This means that the PCI DSS v3.2.1 will cease to be valid on March 31, 2024. The bad news here is that a spin-out may cause some difficulties for companies. 

PCI DSS v4 was released in the first quarter of 2022. Currently, the official team is working on the translation of the latest edition as well as its publications in various countries around the world. During the pandemic, the number of online transactions increased sharply, which in turn led to a significant increase in the amount of personal data online. This has been a source of benefit for fraudsters. That is why new measures have become necessary.

The PCI framework, which includes 12 key requirements, has remained unchanged, however, the main vector has shifted to how security controls should be implemented. The goals of the new version are objective and concise. They include security needs, flexibility, continuity, and improvement of methods and methodology.

Customized implementation has become one of the most outstanding features of PCI DSS v4. It allows to take into account the intent and purpose of the objects, as well as to develop a unique program to achieve them. PCI DSS v4 affects the digital identities for the authentication process, which now requires stronger security and access control measures. For example, one of them is that account passwords must be changed every 12 months. In addition, there are new password requirements, which must now contain at least 15 symbols, which include both letters and numbers. In addition, passwords should be compared with less reliable ones.

The vendor’s access to sensitive data was also restricted. Third-party accounts can now be activated only when absolutely necessary, provided that their activities are monitored.

Last but not least, PCI DSS collaborates with payment system giants such as Mastercard, Europay and Visa to work on 3-D Secure which allows customers to authenticate into the system while online shopping.  

Transitioning to a new standard can take some time and effort. The least painful it must be for merchants as they should have the least sensitive data such as authentication or cardholder data at their disposal. That is why the impact of the new PCI DSS v4 on merchants will be insignificant. In short, the only evidence of CHD absence in their area of influence will be required.

If you’re a merchant, and you still have the cardholder data, the question is: “Why do you?”. If you want to continue your work, it’s time to take all the measures to meet the standards. Otherwise, you will find yourself far overboard.

The situation is a little sadder for service providers. As they are directly related to confidential and sensitive information, its storage and processing, most of the changes will affect vendors. It should be understood that the services provided by vendors are not identical, which means that the situation with PCI DSS v4 will be different as well. Some providers directly perform data operations, such as processing or storage, while others are only responsible for their security and safety. It goes without saying that the first group is at greater risk than the second.

At the same time, this fact does not mean in any way that providers who are only responsible for data security should not meet the PCI DSS. Although many providers do not evaluate this issue objectively, it can be a big and even fatal mistake. The update of the requirements of the PCI DSS brings this issue to a new level. Most nonsensical excuses no longer matter in PCI DSS v4.

But don’t panic, as mentioned, companies and organizations have enough time to master all the innovations. One of the best tips is to study the update in detail and form a step-by-step plan for its development. It is worth consulting with other experts who will help you to understand all the nuances and conquer this peak.


Please enter your comment!
Please enter your name here