PCI DSS Version 4.0: What should organisations do about it?
Although v4.0 has been published, the PCI SSC is providing a 2-year implementation period for organisations to adjust their processes and controls to the new standard. The date for the diary is 31st March 2024 when v3.2.1 will be retired. In this period, all QSA’s (and Internal Security Assessors) will be required to undergo further training with the PCI SSC prior to being in a position to conduct an assessment of an organisation against the requirements of v4.0.
It is recommended that all organisations that have a PCI DSS obligation start preparations as soon as possible. There are several steps an organisation can take now to help prepare:
- Conduct a scoping exercise to assure that you are complying with the appropriate PCI DSS reporting requirements (and reduce the scope if possible).
- Conduct a familiarisation exercise with the new version.
- Conduct a gap analysis against the new requirements.
- Ensure all relevant stakeholders are aware of the changes.
- Engage with a QSA company to assist with your preparations.