What Can Businesses Do Now to Prepare for PCI DSS 4.0?

While PCI DSS version 3.2.1 remains active, version 4.0 will go into full effect in March 2025. Now is the time to prepare for this latest version that combines feedback from over 200 businesses that provided over 6,000 pieces of feedback. The primary goal of PCI DSS 4.0 is first to reduce PCI DSS scope. This goal makes the most significant impact on an organization's goal of meeting a requirement. Reducing the attack surface also makes an organization more secure than taking on the scope and complying with the requirement. I strongly encourage all merchants or Service Providers to read the Summary of Changes from PCI DSS Version 3.2.1 to 4.0 to better understand the changes made to better prepare for your next assessment. 

A Major Change with PCI DSS 4.0 

One notable change in PCI DSS 4.0 is the "customized approach." The "customized approach" is an alternative to the "defined approach," which has been the primary direction to meet PCI requirements until PCI DSS 4.0. The customized approach enables more flexibility to meet requirements by utilizing new technology stacks. The "customized approach" is an excellent fit for companies with a mature security program and tech stack. For smaller or newer entities, following the defined approach for PCI DSS assessments is recommended. 

Author bio: Jonathan McCracken is a Senior Solutions Architect at TokenEx, with over ten years of experience in Cybersecurity and compliance. He is a certified Payment Card Industry Internal Security Assessor (PCI-ISA) and Payment Card Industry Professional (PCIP). McCracken also assists prospects and clients with understanding their PCI scope and payments potential using the TokenEx Platform.