Select Page

The Payment Card Industry Data Security Standard (PCI DSS) is focused on protecting cardholder data. As fraud and cybercriminals evolve, so must the standards by which organizations secure data, which is why we’re in a phase of PCI DSS v4.0 Transition.

The aim of the PCI Security Standards Council is for PCI compliance to be adopted into day-to-day operations as opposed to a yearly task. By treating PCI compliance as an ongoing practice, organizations can reduce business risk and improve security. 

The PCI DSS continues to evolve since its introduction in 2004, with the latest update happening in 2018. However, the new version, 4.0, will roll out with the expectation of full compliance by 2025. We look at some of the key things to know during the PCI DSS v4.0 transition. 

Focus on Secure Configuration Management

The previous version of the PCI DSS was largely focused on singular topics like passwords and the like. The newer version takes a broader approach to requirements, emphasizing secure configuration management, which can include things like vendor-supplied default passwords. 

Again, the goal is not to treat compliance as an annual task to check off, but rather to incorporate secure configuration management into routine operations and business processes. This means that, while technical configurations are still important, the focus should be on a mindset that embraces secure configuration management. So every time new procedures or processes are created, organizations should consider how they can be more secure and compliant with the PCI standards. 

Embrace an Organizational Approach

For organizations that have found themselves scrambling to complete audits, this shift should be welcomed. While “point in time” audits can be helpful, the new focus is on broader security processes rather than compartmentalized ones. Rather than assigning certain technical controls across different departments, organizations should consider centralizing security and compliance responsibilities via GRC teams or another similar approach. Again, the focus is on filtering all operational processes through the security and compliance lens, regardless of department or responsibility. With an onslaught of emerging and constant threats, reliance on singular audits is no longer a viable security approach. 

Cardholder Data is Now Account Data

Some wording has changed in the new standard, including the switch from “cardholder data” to “account data.” Account data seems more general, meaning there may be a broader impact for organizations. To give a more concrete example, the new standard would apply to data, even data that is stripped of card number information. In other words, stripped data storage is now held to the same standard as a full data set, likely increasing the scope of PCI audits. 

Getting Familiar During the PCI DSS v4.0 Transition

The transition period is meant to allow organizations to get familiar with the changes present in v4.0 while making the necessary update to reporting templates and planning for organizational changes that will allow them to meet the updated requirements. 

At Arrow Payments, we understand how complex PCI compliance can be. Our seasoned team of payments professionals is experts at providing guidance and recommendations as you navigate the PCI DSS v4.0 Transition. If you would like to speak to someone about your unique scenario, please contact us today

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

Guarding Against Payments Fraud

Guarding Against Payments Fraud

Payments fraud is a serious and ongoing challenge for treasury practitioners, requiring an increasing amount of vigilance and foresight. According to the 2023 AFP Payments Fraud and Control Survey, 65% of organizations reported being victims of payments fraud in 2022,...

Cultivating Emotional Intelligence in Leadership

Cultivating Emotional Intelligence in Leadership

We’ve discussed how emotional intelligence (EQ) makes you better at business. We’ve even talked about how EQ and payments are tied together. This article explores why EQ is crucial for leaders to possess. Yes, technical skills and a strategic mindset are valuable...

The Digital Campus Payments Imperative

The Digital Campus Payments Imperative

Higher education institutions are increasingly transitioning to digital campus payments – and with good reason. The move is primarily driven by evolving student preferences, though the need for enhanced security and better efficiency are factors, too.  Digital campus...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery