In our last discussion, we explored the evolution of Requirement 1 in the transition from PCI DSS v3.2.1 to v4.0, with a particular emphasis on the move towards ‘network security controls’. As we continue our exploration of the updated PCI DSS v4.0, today’s focus will be on the transformations in Requirement 2.

In the ever-evolving landscape of data security and compliance, businesses must always stay current with the latest industry standards. As 2024 arrives, one such standard that demands your attention is the Payment Card Industry Data Security Standard (PCI DSS) version 4.0. PCI DSS v4.0 is a significant shift in how organizations must approach credit card and payment processing security and compliance.

The Payment Card Industry Data Security Standard (PCI DSS) sets standards to keep the global payment card ecosystem trustworthy. Developed and maintained by the PCI Security Standards Council (PCI SSC), PCI DSS is meant to secure debit and credit card transactions to prevent cybersecurity issues like data theft or fraud. Any merchant or business that accepts customer payment cards and processes this data must comply with PCI DSS requirements.

As we all know, data security is a constantly evolving field, and it’s essential to keep up with the latest standards and requirements. And mark your calendars, because the current PCI DSS v3.2.1 is set to retire on March 31st, 2024. That’s right, the PCI Security Standards Council (SSC) has announced the release of the new and improved PCI DSS v4.0, and compliance with this updated version is mandatory for organizations to maintain data security.

The payment industry is bracing for the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0, heralding significant changes in cybersecurity practices. As we approach the implementation of this revised standard, a critical focal point emerges: the role and new mandate of web application firewalls (WAFs) in ensuring compliance.

If you recently took a relaxing European vacation and flew Air Europa, check your credit card statement. They are the latest victim of a malicious hack exposing customer credit card numbers, expiration dates, and even the associated stored CCV codes—which contradicts Payment Card Industry Data Security Standard (PCI DSS) regulations.

Even before the pandemic forced most of us to shop online, we were already heading in that direction — an easy transition considering that, according to Experian, each U.S. consumer carries an average of four credit cards from which to choose. However, this increase in credit card usage also brings more significant risks associated with collecting customer data.

2024 is almost here, and that means PCI DSS 4.0 will soon go into effect. The newest version will have some mandatory controls on March 31, 2024, for those who store, process, or transmit card payment data. While its predecessor weighed in at 190 pages, PCI DSS 4.0 is 486 pages and includes 63 new security controls.

Data classification is essential for achieving, maintaining and proving compliance with a wide range of regulations and standards. For example, PCI DSS, HIPAA, SOX and GDPR all have different purposes and requirements, but data classification is necessary for compliance with all of them — after all, you need to accurately identify and tag health records, cardholder information, financial documents and other regulated data in order to protect that data appropriately.

The first deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) Version 4.0 is March 31, 2024. If your v4.0 compliance initiative is not already underway, it should be a major priority over the next 2–3 quarters.