Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

With the release of PCI DSS 4.0 in March 2022, a number of myths have been percolating throughout the payments community. In this piece, we’ll look at five of these to explain where they’ve come from and what the updated standard really means.

myth… Not a risk-based standard

From its inception in 2004, PCI DSS has been inherently risk-based. The standard was developed by consolidating existing security programs operated by the major card brands into a unified, global standard to address weaknesses throughout the payments lifecycle. Its requirements established mandatory mitigation steps for merchants and service providers to reduce the risks associated with card payments. Until PCI DSS 4.0, organizations have not had any flexibility to define that risk for themselves.

In PCI DSS 4.0, while unable to risk-accept themselves out of the requirement to meet all applicable standard controls, organizations have some flexibility to establish control testing frequencies through targeted risk assessment (PCI DSS 12.3).

myth… all about technology

While technological security controls are present across all the standard requirements, PCI DSS is and never has been a technology standard. It mandates control to address risks associated with people, processes, and technology relating to card payments and account data security. PCI DSS 4.0 emphasizes this even more strongly than in previous versions, with the first and second controls of each key requirement focused on defining security policy and documenting roles and responsibilities, respectively.

myth… compliance means security

An effective compliance program that focuses on continuous improvement and is embedded in business-as-usual activities will improve an organization’s overall security posture. But compliance cannot guarantee security. PCI DSS 4.0 places even greater emphasis on compliance as a continuous process than in previous versions, highlighting the value of incorporating compliance monitoring in BAU processes to identify control weaknesses and anomalies before they result in an incident, breach, or compliance failure.

Organizations that choose to expand the implementation of controls to protect other personal and sensitive data environments (even where these are out-of-scope for PCI DSS) will achieve greater security benefits from compliance than those that exclude them.

myth… doesn’t work with evolving technologies

As technology evolves, so do the ways organizations manage and operate their businesses. Previous versions of the standard defined the controls organizations had to implement to comply. Increasing migration toward cloud services, software-defined networking, and other innovations have changed the architecture of business networks, management of user access, and data management provisions. PCI DSS 4.0 supports the rapid evolution of technology with far greater flexibility than previous versions. The Customized Approach allows organizations to meet controls using a wider variety of technological and operational controls to meet the objective — the outcome — of its equivalent defined control.

myth… scoping is only relevant for first-time compliance

Scoping is the first stage of any compliance program, but it’s also crucial to maintaining compliance over time too. PCI DSS assessors have always had to validate and document scope in the Executive Summary of a Report on Compliance (ROC), and self-assessments have always required organizations to attest that their scope meets the Self-Assessment Questionnaire (SAQ) eligibility criteria.

PCI DSS 4.0 requires organizations to verify their scope every 6 or 12 months, depending on whether they are merchants or service providers (PCI DSS 12.5). Organizations can automate this process with periodic data discovery scanning while supporting compliance with 26 other controls across the standard.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe