The wait is over; PCI 4 is officially here. As of March 31st, 3.2.1 has been retired, and anyone undergoing certification or re-certification must meet the new PCI 4 requirement standards.
Frustration has been a common sentiment around the changes in PCI 4, including the timeline at which organizations are responsible for meeting them and the complexity of the updates.
Many teams have felt challenged by the timeline and changes to PCI and have needed help understanding the implementation timeline of PCI 4. One particular area that has been especially trying has been the future-dated requirements. With PCI 4 becoming standard, the countdown has begun for the future-dated requirements, but what does that mean?
PCI 4 has two categories of new requirements: requirements effective immediately for all PCI assessments after March 31, 2024, or best practices until March 31, 2025, after which they become mandatory. Almost every section of PCI 4 has at least one future-dated requirement. The full breakdown of these requirements and who the updates apply to can be found in the Summary of Changes from PCI DSS Version 3.2.1 to 4.0 document.
Requirement 8 (or the section addressing identity security and multi-factor authentication) has 7 future-dated requirements that should not be overlooked. It is critical to remember that due to the complexity of the new MFA requirements, organizations cannot wait until the last minute to ensure their identity security systems and policies meet the latest standards.
Some of these future-dated requirements specific to identity security in contact centers are:
- (Req. 8.2.8) 15-minute timeouts
- (Req. 8.3.6) password complicity and rotation
- (Req. 8.4.2) deploy MFA to everyone, everywhere
Read the blueprint to review how PCI 4 impacts MFA in BPO contact centers.
Timeline based on a graph from PCI DSS v4.0 At-a-Glance, 2022 PCI SSC
For more information on PCI 4 and MFA, subscribe to the Twosense blog or ring the bell at the top right corner of Twosense LinkedIn to receive the latest compliance and identity security information.