PCI DSS v4.0, are you up to date?

The field of telephone card payments is not standing still; on the contrary, it is evolving at full gallop. On the one hand, there is its growing popularity among users, who are increasingly demanding it; on the other hand, fraudulent threats are increasing and becoming more effective at the same rate as this success.

As security must keep pace with usability and security, the PCI SSC (or PCI Security Standards Council) has launched PCI DSS v4.0 in March 2022, the latest version of its standard for secure card payments. In this text we briefly present the changes and novelties.

The standard, its raison d’être (and the need for renewal)

The room for improvement in the standard has been expanded since 2018when the previous version was updated, due to two factors: technological evolutions are significant and very fast; and the number of industries, business models and companies implementing secure card payment solutions is growing like crazy.

Thus, new challenges necessarily arise for secure card payments in the near future, as the PCI explains in its press release launching DSS v4.0. At PAYby CALL we will continue to be PCI DSS certified  to guarantee our customers the security of their user data in the context of a smooth and efficient service.

Four clear objectives and essential changes

The new main objectives are as follows:

  • Meet the security needs of the card payment industry.
  • Make security a continuous process.
  • Make the options for different payment methods more flexible.
  • Improve the validation mechanisms for the different requirements.

As you can imagine, making a generational leap in this kind of thing involves complex changes that include new clarifying guidance, structural modifications and above all evolutions in operating and safety requirements and procedures (whether to add new ones, revise existing ones or replace them). Highlights:

  • Security needs: double authentication factor, updated passwords, new anti-phishing practices.
  • Continuous process: better defined roles and responsibilities, better usage guidelines, deeper and more transparent reporting.
  • Flexibility of options: diversified permits, specific risk analysis, customized approach.
  • Validation mechanisms: alignment between self-analysis questionnaires and compliance certifications.

A standard in constant process of improvement

Perhaps the strength of this latest version of the standard is that it relies on feedback from the industry itself. With more than 200 companies providing more than 6,000 comments and three rounds of consultation on the draft, PCI SSD v4.0 is likely to be what the secure card payment industry needs.

At the moment, one quarter after the launch, we are in the first revisions (May 2022) and publications of training and support documents. This shows the dynamism of a continuous improvement process to make the standard fully operational in the face of the progressive emergence of new security requirements.

This opens a two-year transition period during which this version will replace the previous v3.2.1, which will be definitively withdrawn in the first quarter of 2024. This infographic gives you a quick and easy overview of the whole picture, or you can find more information here in the document library.

Are you really interested?

For the true pro, don’t miss the series of training and communication events organized by the PCI SSC starting June 21, 2022. Or you can also contact us with any questions you may have, we will be happy to help you!

Learn about our service