PCI DSS 4.0: Order your rocket-boosters for April onwards

Easter Sunday (March 31) will be a key moment in the evolution of secure payments for contact centers. The old security standard – PCI DSS v3.2.1 – will retire and the stronger, tougher PCI DSS v4.0 will become mandatory.

Meeting the compliance deadline is a moment for modest applause and high-fives for merchants. Many will have spent several years getting their teams and systems ready. But in truth, March 31 isn’t so much the end … but the beginning of something far bigger. Compliance teams will need to buckle up, set their coordinates, and hit warp speed.

Here are three important facts to bear in mind.

1: The 2024/25 compliance workload is far more substantial

While only 13 changes were required from merchants this Easter, there are another 51 that need to be met by March 31, 2025. Previously, many of these have been positioned as ‘best practice’ but they’ll become mandatory and will be fully considered as part of a PCI DSS assessment.

The sheer number of new requirements could feel overwhelming. For example, achieving one change per week would only be just enough to squeeze through.

Many brands will have been following the PCI Security Standards Council’s helpful Prioritized Approach to Pursue PCI DSS Compliance. It’s essential to plan for a steady flow of milestones throughout 2024 and beyond, so the readiness program is manageable.

It’s also important to be aware that compliance efforts won’t stop in March 2025. The new standard aims to usher in a permanent change where compliance becomes a business-as-usual activity. So new processes need to be hard-wired into processes and business mindsets.

2: Compliance must be a collective effort

When data breaches happen, virtually everyone is affected at some level. With PCI DSS 4.0, there’s a sense that everyone is responsible and will be held accountable for security – if they carry out a role that’s relevant. In other words, PCI DSS compliance cannot be considered a fringe topic. It’s at the heart of customer service and revenue.

Merchants must list roles and responsibilities for all activities and ensure they are documented, assigned, and understood. The roles listed will vary between organizations because of different set-ups. Typically, those named will include members of the C-suite, Chief Information Security Officers (CISOs), InfoSecs, compliance leaders, IT directors, and contact center managers. This is where the buck stops in a corporate and regulatory sense.

It's essential for people in these positions to work closely with software engineers, IT operations teams, and systems managers to build effective teams. A collaborative approach is required and it’s vital to get pitching for extra internal resources and gather momentum before the pressure builds.

3: Outside expertise is available

Some requirements will be fairly straightforward, others will push teams to the limit, and a few might prove highly complex to pull off.

For example, Requirement 3 relates to the protection of stored account data – including sensitive cardholder details. Suddenly, merchants will find themselves expected to deliver far higher levels of protection.

In these instances, relying on a trusted partner can remove stress, cost, and risk for your organization. For example, a PCI DSS Level 1 Service Provider can handle secure payments for you and actually shield your contact center from any trace of sensitive data – removing your environment from the scope of PCI DSS 4.0 compliance as a relates to the storing of card data.

Even if criminals managed to get around your security, infiltrate your workforce or obtain information from systems — there's nothing sensitive to steal. To put it another way, criminals can’t steal what you don’t have.

Passing the data storage task to a trusted partner will represent a massive ‘quick win’ and help you to build momentum as you face a world of challenges in the run-up to March 2025.