In March 2024, PCI DSS v4.0 will bring several new requirements, and organizations must be prepared for these changes.
As an expert in PCI DSS with over 20 years of experience, I've seen the Payment Card Industry Data Security Standard (PCI DSS) evolve to adapt to the ever-changing landscape of information security. In this article, I will share my insights on the new requirements and their implications for organizations, particularly in relation to third-party service providers (TPSPs).
Who or what is a TPSPs?
According to Visa, a Third-Party Service Provider (TPSP) is any organization that stores, processes, or transmits cardholder data on behalf of another entity, or that can impact the security of another entity’s cardholder data environment. TPSPs play a critical role in ensuring the security of cardholder data and maintaining PCI compliance.
The new requirements that need to be implemented can be combined into four broad requirement groups:
- TPSP Support for Customers' Compliance Requests: Requirement 12.9.2
One significant addition in PCI DSS v4.0 is Requirement 12.9.2, which mandates that TPSPs support customers' requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP.
In my experience, many TPSPs such as Google or Salesforce typically have a responsibility matrix that defines the responsibilities for all PCI DSS requirements, indicating which requirements lie with their customers and which ones they are responsible for. However, in my experience, not many TPSPs do.
Here's an example of PCI DSS v3.2.1 Responsibility Matrix provided by Akamai.Responsibility Matrix PCI DSS 3.2.1 (akamai.com)
- Documenting Roles and Responsibilities:
The updated standard also introduces requirements for documenting roles and responsibilities for performing activities related to various PCI DSS requirements, including for Requirements 2 to 11.
This change emphasizes the importance of clearly defining responsibilities to ensure that all parties involved in maintaining PCI compliance understand their roles and are held accountable.
- Annual PCI DSS Scope Confirmation: Requirement 12.5.2
Another new requirement, 12.5.2, states that PCI DSS scope must be documented and confirmed at least once every 12 months.
- Targeted Risk Analysis: Requirement 12.3.2
Additionally, Requirement 12.3.2 introduces the need for a targeted risk analysis for each PCI DSS requirement that is met with a customized approach. These changes aim to ensure that organizations maintain a clear understanding of their compliance scope and potential risks, promoting a more proactive approach to maintaining PCI compliance.
Conclusion: Preparing for PCI DSS v4.0
In conclusion, the new requirements in PCI DSS v4.0 emphasize the importance of clearly defining responsibilities, particularly in relation to TPSPs, and maintaining a thorough understanding of compliance scope and risk. From my perspective, the additional requirements are not that difficult to implement but could be complex to create in matrix / complex organisations.
