In a volatile payments landscape, enterprises are preparing for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 to expire on March 31, 2024. Taking its place will be the more robust PCI DSS version 4.0, a substantial update to the Standard designed to address the continually evolving threat landscape and changing payments systems. The new requirements are needed to help businesses prevent payment card data from being compromised or stolen. \n\nCreated by the PCI Security Standards Council (SSC), a global entity that brings industry leaders\u2014including American Express, Discover, JCB International, Mastercard, UnionPay and Visa\u2014together to develop Standards that ensure the secure use of payment cards, PCI DSS v4.0 includes numerous changes that impact not only any organization that processes, transmits or stores payment card information, but also those within the larger payments ecosystem, including service providers and those that are contractually required to comply with PCI DSS. \n\n\u201cPreparing for PCI DSS v4.0 should be a strategic imperative for any organization that possesses payment card data,\u201d says Mark Stachowicz, a senior manager in Verizon Cyber Security Consulting services, which includes expert teams for security assurance, cyber defense, and the\u00a0Verizon Threat Research Advisory Center, a specialized division within Verizon Consulting Services that helps enterprises mitigate threats to their networks, applications and devices.\u00a0\n\n\u201cUnderstanding the changes in the PCI DSS Standard is paramount for Qualified Security Assessors (QSAs) to do a comprehensive and effective assessment,\u201d adds Stachowicz. \u201cNow is the time to ask \u2018Does my QSA understand the changes in the Standard and how to address them?\u2019\u201d\n\nHe notes that QSAs at Verizon, one of the longest-operating PCI services provider, recommend that CISOs explore several important questions, including: \n\nStachowicz notes that these questions are critically important because payment card data is highly sought after by cybercriminals, a fact reflected in Verizon\u2019s 2023\u00a0Data Breach Investigations Report. The report cites that payment card data was compromised in 37% of breaches in 2022.\n\n\u201cThe answers to these questions are crucially important to ensure that your assessment is as strong as possible,\u201d he adds. \u201cA proper assessment should rarely fail to uncover additional steps an enterprise should take to gain greater peace of mind.\u201d\n\nStachowicz also recommends that IT leaders read Verizon\u2019s collection of payment security research and, in particular, the recently released\u00a0PSR 2023 Payment Security Report insights\u00a0white paper, which explains the value of advanced PCI program management design.\n\n\u201cIf your QSA is simply checking off boxes, they are doing you a disservice and will not be able to address the greater level of detail PCI DSS v4.0 requires,\u201d he adds. \n\n\u201cYou want an expected partner who simplifies the complexity of compliance management with an economical solution\u2014a PCI security program that delivers effective, predictable results in an efficient manner, faster and with fewer resources.\u201d\n\nSecurity and compliance teams can find more information on Verizon\u2019s PCI DSS assessment\u00a0here.