The PCI Data Security Standard (PCI DSS), the information security standard used by retailers and financial institutions to safeguard sensitive cardholder data, was amended on March 31, 2022, by the PCI Standards Security Council (PCI SSC). The Council claims that PCI DSS v4.0 will “address emerging threats and technologies and enable innovative methods to combat new threats” to cardholder data, particularly by focusing the standard on outcome-based requirements. The previous version was PCI DSS v3.2.1, released four years prior. 

Organizations considering implementing the controls of the new PCI DSS 4.0 security standard or those who were already compliant with the previous version but now have to incorporate the latest changes to maintain compliance adherence—have time until March 31, 2024. There are more than 200 revisions to the current standard, and some of these changes may result in significant changes to organizational duties. Thus, companies do not have much time and must get moving fast.

However, one can easily be overwhelmed by so many new regulations to follow and understand. This is why we at Akitra have curated this blog for you to answer the four most frequently asked questions about PCI DSS 4.0. This blog will enlighten you about some of the most pertinent issues surrounding this new version of the PCI DSS framework.

Four Most Frequently-Asked Questions About PCI DSS 4.0

1. Why is it going to be more challenging to adapt to the new PCI DSS 4.0 version that its previous updates?

Incorporating more than 200 changes, PCI DSS v4.0 is a significant improvement over the prior version, as the terminology suggests. One hundred four of these may be categorized as simple wording, definitions, and directions adjustments.

Another 64 changes reflect the need to keep up with new threats and technological advancements, among other growing requirements. These include updates such as improved password requirements or authorization processes and new or modified requirements, testing procedures, and upgrades.

PCI DSS 4.0 also includes 53 structural or format modifications. These entail fundamental modifications to the standard itself, including content re-organization and grouping, separating, and renumbering the 12 requirements. Adopting a new alternative strategy to compliance is the most important of these structural changes. Some of the mature companies will now be allowed to utilize a customized method in addition to the conventionally defined strategy, giving them more flexibility in satisfying security objectives.

2. How is customized approach controls different from compensating controls?

Customized Approach controls are very different from Compensating controls.

Customized Approach controls — These are defined for businesses that have established risk management procedures and decide to use different rules that achieve the goals of the personalized approach but fall short of the stated requirements. To qualify for a customized strategy, the business must ensure that the third-party contractor has excellent knowledge, a high-security maturity level, and risk management practices.

Compensating controls — When an entity cannot explicitly meet a PCI DSS requirement as stated due to valid and documented technical or business constraints but has sufficiently reduced the risk associated with the requirement by implementing other compensating controls, compensating controls may be taken into consideration. Processes and controls must be in place to ensure compensating controls continue functioning after the evaluation is finished to maintain compliance.

3. How have the Risk Assessment requirements changed since the previous PCI DSS update?

Version 3.2.1 mandated that the risk assessment be conducted annually and be based on a risk assessment methodology that has gained industry acceptance. Besides the requirement that it occur at least once a year, only a little information was given.

Many of the other requirements in version 4.0, they are relying on risk assessment. In version 4.0, most requirements that specify that a task must be completed regularly will tie the choice of how frequently the task must be completed to a targeted risk assessment.

Using a terminal or other device that physically interacts with the credit card during card-present payment transactions is one necessity that comes to mind for this. Periodic tamper prevention inspections on those are required for these businesses. But what exactly does periodic mean? You must determine what periodic implies for your organization in your risk assessment.

Other requirements are connected to the risk assessment requirement, which states that you must conduct one at least once a year. However, those risk analyses should consider issues like “How frequently do I perform tamper inspection reviews on my terminals?”

Suppose you are currently doing a risk assessment for PCI in version 4.0. In that case, you should carefully review all of these supplementary requirements related to the risk assessment and ensure that they address each one.

4. If an organization hasn’t adhered to compliance regulations under PCI DSS v. 3.2.1, should they be worried about complying with PCI DSS 4.0?

It mainly depends on how your systems are organized, how close you are to achieving security compliance, and how soon you must verify compliance; if soon, stick to 3.2.1.

But version 4.0 is advised if you are completely new and have the time. Remember that you have three years to complete the future-dated requirements, some of which are more difficult. You’ll need to wait a little longer to see what those look like if you fall under an SAQ (self-assessment questionnaire) for compliance certification.

PCI DSS Compliance with Akitra!

Establishing trust is a crucial competitive differentiator when prospecting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.

Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our compliance automation platform and service helps our customers prepare readiness for PCI DSS compliance standards, along with other frameworks like SOC 1, SOC 2, ISO 27001, ISO 27701, ISO 27017, ISO 27018, HIPAA, GDPR, CMMC, NIST 800-53, NIST 800-171, FedRAMP, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s automated questionnaire product to streamline and expedite security questionnaire response processes delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently. 

The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.

Build customer trust. Choose Akitra TODAY!‍

To book your FREE DEMO, contact us right here.