If you are a dealer merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. PCI DSS version 4.0 was released on March 31, 2022; however, it has been in a transition period since the prior version v3.2.1 was retired on March 31, 2024.
The new requirements of version 4.0 will become effective March 31, 2025. What does that mean for you? If you have already completed your Security Assessment Questionnaire (SAQ) you are compliant until your next SAQ is due. When your next SAQ is due, you will be required to be in compliance with PCI DSS v4.0. You may already be completing all the requirements of v4.0, but if you aren’t, it is now a requirement.
Here are some changes you need to be aware of:
- Enhanced focus on vulnerability management – in v3.2.1 you only needed to fix critical and high-risk vulnerabilities. In v4.0 you need to fix ALL
- Additional malware and phishing controls – you must have a process in place to automatically scan removable electronic media (i.e. USB sticks) as soon as they are inserted, connected, or logically mounted into your devices.
- Improved security awareness training – v4.0 mandates training your staff at least annually on security awareness and their role in protecting cardholder data. There are also additional topics you must train your staff on.
- Stronger authentication measures – v4.0 mandates multi-factor authentication (MFA).
These are just high-level changes. For more information regarding how this will affect your organization, you should contact your payment processor for additional information.