The Payment Card Industry Data Security Standard (PCI DSS) is a benchmark with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when it was introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards must be updated to address those changes. The most recent update to the PCI DSS was in 2018, and the world has certainly changed since then.

The new version, 4.0, doesn’t immediately come into effect for all organizations. The PCI Council sets full compliance out to 2025, labeling them as best practices until then. As stated on the PCI website:

“In addition to an 18-month period when v3.2.1 and v4.0 will both be active, there will be an extra period of time defined for phasing in new requirements that are identified as “future-dated” in v4.0.”

PCI DSS v4.0 Transistion Timeline

While this transition period provides organizations with time to adapt to new requirements, it also leaves room for greater risk through that transition period. Determining the appropriate implementation time frame for new compliance requirements is a balancing act that simply can’t make every stakeholder happy. Of course, in a perfect world, it would be ideal if most organizations moved to the best practices before they’re required. What does that entail exactly, and is it easily achieved, or does that 18-month window indicate a foreboding of some difficulties in implementation?

Lead with Optimism

I am optimistic that most organizations can meet, or outpace the deadline, primarily due to the fact that many of the updates are focused on redefining a lot of the individual requirement sections. Instead of dictating a specific technical requirement, they generalized a lot of the requirements and the specific (Read more...)