On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new requirements for service providers (now called TPSPs—third party service providers).  Of those new requirements, 13 are effective immediately for anyone undergoing a PCI DSS v4.0 assessment; 51 are “best practice” until March 31, 2025, at which time they will be mandatory.  In addition, each requirement now includes an entry for “Customized Approach Objective,” because the Council will allow entities to adopt an approach that “does not strictly follow the defined requirement” as long as it meets the stated objective in accordance with the Council’s requirements.  The Council noted that this new approach “is intended for risk-mature entities that demonstrate a robust risk-management approach to security, including, but not limited to a dedicated risk-management department or an organization-wide risk management approach.”  (Standards at 28.)  The previous version of PCI DSS (3.2.1) is retired as of March 31, 2024.  Either PCI DSS 3.2.1 or 4.0 can be used for assessments between now and March 31, 2024 (page 36).

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect.  Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities that “store, process, or transmit cardholder data” or that “manage components such as routers, firewalls, databases, physical security, and/or servers” on behalf of merchants. Below, we provide a summary of some of the more significant changes that affect merchants and Service Providers.

The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant.