How Often Does PCI Compliance Change?
Posted: 26th April 2022 08:33When you are talking about the Payment Card Industry Data Security Standard (PCI DSS), it does not change very often. The gap between versions 3.2.1 and 4.0 is about ten years. However, the requirements for compliance with the standard change regularly to keep up with the various issues faced by the digital economy.
Compliance Certificates For Businesses
The rule is different if you ask about the validity of PCI DSS compliance for businesses. The certificate's validity is one year from the issue date, and a business can maintain its compliance by completing a self-assessment questionnaire. Companies do this annually and perform the applicable network scan every quarter.
PCI Compliance Levels
All merchants that process credit card payments must comply with the PCI DSS guidelines. Compliance is mandatory. Otherwise, you lose customer trust and face heavy fines. Merchants fall into one of the levels based on the 12-month transaction volume.
Level 1. Any merchant processing more than six million transactions annually.
Level 2. Merchants that process between one million to six million transactions within 12 months.
Level 3. Merchants that have 20,000 to one million transactions each year.
Level 4. Merchants processing fewer than 20,000 transactions per year.
How To Become PCI DSS Compliant?
A merchant becomes PCI DSS compliant after completing the PCI DSS compliance requirements. These include the following actions:
- Install firewalls to protect your system.
- Configure your settings and passwords.
- Protect every cardholder data you store, including encryption keys.
- Encrypt the transmission of cardholder data when using public and open networks.
- Install and update antivirus software regularly.
- Regularly patch and update your systems.
- Restrict the access to cardholder information to employees on a need-to-know basis.
- Assign a unique ID to each employee with access to your computer system.
- Restrict the physical access to your workplace and stored information.
- Implement logging and log management system.
- Conduct regular penetration tests and vulnerability scans.
- Use documentation and risk assessments program.
The PCI DSS standard v4.0 was released on March 31, 2022. The main requirements for compliance will not have fundamental changes, but the new version will have tighter security rules for data protection, including the following:
- Multifactor authentication is needed for all employees with access to cardholder information.
- Change passwords for accounts used to access systems and applications every 12 months.
- Use strong passwords with at least 15 alphabetic and numeric characters.
- Review access privileges every six months.
- Enable third-party and vendor accounts only when needed and must be monitored during use.
Now is the time to learn about the changes in the PCI DSS v4.0 so you can be familiar with it as early as you can. The threats to cardholder data are always present, so the fastest you can implement the security measures and meet all the requirements, the better for your business.