02.02.2024
Time is moving fast, and there will be changes to PCI DSS certification that you should be aware of.
We all know that since 2018, the current version of the PCI DSS standard is v3.2.1, which will be withdrawn as of 31 March 2024, after which the transition to the new version of the PCI DSS v4.0 standard will take place. This is a must for organisations working in the area of payment data security. To help with this transition, we have prepared some important recommendations. Please take them into account to ensure that your transition to the new PCI DSS v4.0 standard is smooth and that you will not experience any additional issues.

1. The most important thing you can do is to start your organisation’s transition to PCI DSS v4.0 right now. This is the main recommendation we have prepared for you! The withdrawal date for PCI DSS v3.2.1 is fast approaching, and you need to prepare in advance. The sooner you understand what PCI DSS v4.0 means for your organisation, the sooner you can start planning and prioritising to ensure a smooth and effective transition.

2. As you begin to implement changes to comply with PCI DSS v4.0, it is important to continue to comply with all of the required security measures in the older PCI DSS v3.2.1. Continue to maintain all of your existing PCI DSS security controls, even if your focus is already on implementing the new requirements for version 4.0.
If your organisation will be pursuing PCI DSS certification for the first time, please consider and take into account all the requirements of the already updated PCI DSS v4.0.

When it comes to understanding the changes in PCI DSS v4.0, the best place to start is by reading the “Summary of Changes between PCI DSS v3.2.1 and PCI DSS v4.0”. This document is located in the PCI SSC Document Library and provides a valuable overview and description of the changes between PCI DSS v3.2.1 and v4.0. It also contains a table entitled “Summary of New Requirements”, which lists all the new requirements, as well as their applicability and effective dates.
In addition to the Summary of Changes, the Standard itself contains many new and expanded recommendations. This additional information will help you better understand the requirements and explain the new concepts introduced in PCI DSS v4.0, such as the Target Risk Analysis and Network Security Controls.
Organisations that use the Self-Assessment Questionnaires (SAQs) should also read the Standard, as the detailed guidance provided for each requirement is not included in the SAQ documents. There have also been updates directly to the SAQ, and it is important that self-assessors read their updated SAQ to understand the full scope of the changes.

3. After you understand all the requirements of PCI DSS v4.0, analyse what changes are expected to occur in your organisation. What impact will the transition to the new 4.0 version have on your business processes and IT infrastructure? You may already meet some of the requirements of version 4.0 and be able to prioritise the transition where it is most needed. This focus can save time and money.
A detailed study of the changes is very useful. We recommend that you do so as soon as possible, so that your organisation is better prepared for a successful and efficient transition to PCI DSS v4.0.

4. When transitioning to PCI DSS v4.0, consider which attestation approach is best for your organisation. There are two options: a prescribed approach and a customised approach.
The prescribed approach follows the traditional method of implementing and validating PCI DSS requirements using the requirements and testing procedures defined in the standard.
A customised approach allows organisations to create their own security systems that can be used to address individual requirements. If you are considering a customised approach, make sure you have a good understanding of what is required and check that your implementation meets the additional risk analysis and documentation requirements before attempting to validate a customised approach.
If you are using compensating controls to meet the requirements of PCI DSS v3.2.1, review the updated requirements and attestation options in v4.0 to determine the best approach.
Ultimately, choosing the right assurance approach will depend on your organisation’s security strategy and risk management approach. Carefully consider both options to ensure you choose the right approach for your organisation.

5. When transitioning to the new PCI DSS v4.0 standard, notify all departments involved in the certification process. Make sure everyone knows their role and what to expect. Clearly define responsibilities for the entire certification process.
Effective project management is key to a successful transition. This includes following the action plan and tracking results.
An important tip is to document everything. Establish policies and procedures to support the ongoing and systematic implementation of security controls. There are also some new documentation requirements in PCI DSS v4.0. You should be aware of this fact and take it into account in your work.

6. When implementing all the necessary measures for the transition to the PCI DSS v4.0 standard, it is important to seek help from professional auditors, who will help you quickly pass the compliance certification. Cooperate with a reliable team from IT Specialist, which has many years of experience and an impeccable reputation.
Use technologies and solutions that have been tested and verified for compliance with security standards to protect payment data. The PCI SSC publishes lists of products and solutions validated for PCI SSC standards, including Point-to-Point Encryption (P2PE) solutions, validated payment software and PTS Devices.

7. The best way to prepare for a PCI DSS assessment is to conduct a self-assessment. Preparation for the assessment should begin as soon as possible. The more time you invest in preparation, the more efficient and successful the assessment will be.
Conducting regular self-assessments will help you identify areas for improvement and clarify how you should prioritise the elimination of all deficiencies.
Regular breach testing will also help to verify that security controls are working on all systems and areas that need to be assessed.

8. PCI DSS v4.0 is designed to support long-term, continuous processes for securing payment data. The additional flexibility introduced in PCI DSS v4.0 allows organisations to choose the security controls that best meet their business and security needs. Organisations that focus on maintaining PCI DSS security controls throughout the year can more easily avoid recurring situations where short periods of compliance are followed by security breaches and emergency remediation each time they are assessed.
By focusing on security as an ongoing process, organisations will gain greater confidence in their PCI DSS v4.0 certification and reduce the risk of cybersecurity issues.

9. Representatives of organisations that have already been certified know that it is quite difficult to maintain PCI DSS compliance over time. IT infrastructure is very similar to a living organism that is constantly changing. Changes need to be monitored in real time. For this purpose, there are various software tools that allow you to track changes in the payment card environment and ensure that all elements of the IT infrastructure meet the requirements of the standard.
We would like to draw your attention to the ITS Inventory software solution, which can be easily integrated into any IT infrastructure without installing additional agents. As a result, IT and security managers receive a single, user-friendly interface to see the current state of compliance and identify deviations with the possibility of correction. It is important to note that the monitoring takes place in real time.
ITS Inventory has the functionality to upload a library of external standards. This automatically checks infrastructure elements for compliance with auditor requirements, identifying both compliant and non-compliant components. The ITS Inventory graphical interface provides a summary report on the degree of compliance, which allows you to quickly identify and fix problems. ITS Inventory’s library of external standards includes all the most popular requirements and standards, such as PCI DSS v.4.0, ISO 27001, NBU 95, and NIST CSF. Additionally, companies can add their own standards and requirements to this library.
Automate compliance monitoring with the ITS Inventory software solution.
Use ITS Inventory in preparation for certification, as well as to maintain compliance throughout the year, and save time and resources. This is the most important recommendation we can give you!

We’ve provided you with key tips to help you transition to the new PCI DSS v4.0 standard quickly and easily.
We are sure that you have additional questions regarding the certification process and invite you to consult with the professional auditors of IT Specialist.