2024 is just a few weeks away now, and one of the most significant upcoming changes in the Cybersecurity and Risk world is the new version of the Payment Card Industry Data Security Industry (PCI DSS) Standard
PCI DSS, if you are not aware, is a global technical security standard that applies to anyone who stores, processes, or transmits cardholder data
If you have worked in Cybersecurity for any amount of years, then you will have come into contact with this standard in one form or another
The existing version 3.2.1 is getting retired and being replaced with the new version 4.0, which is full of minor and major changes
Just to make sense of the above diagram, the older version of the standard is valid until March 31, 2024, and then it gets retired.
After that, your audits will start happening against PCI DSS v4 only.
Some of the new requirements of v4 will also not become mandatory until March 31, 2025, and will be considered “best practice” until then.
Either way, if you have not gotten ready yet, you only have a few months before 31st March 2024 to understand and implement the standard.
PCI DSS 4.0 is an extensive change to the previous version of PCI DSS;
There have been a lot of shakeups about terminologies like “network security controls” replacing firewalls and routers and “anti-malware” replacing antivirus, etc.
A good idea is to review the summary of changes document on the official PCI website.
As I mentioned, some of them are optional until 2025, but creating a tracker of the upcoming changes is a good idea so you are not surprised when they come into effect!
But the most significant change is the new customized approach that has come into effect.