Two Perspectives On Two PCI-DSS Rules

Blog / Two Perspectives On Two PCI-DSS Rules

New PCI-DSS Rules Are On Their Way.

The Payment Card Industry Data Security Standards (PCI-DSS) is a set of rules developed by the banking industry that lays out the dos and don’ts for organizations that accept debit, credit, and other plastic cards as a form of payment. These rules classify organizations according to the number of transactions they process. There are four classifications, or levels, with level one organizations processing the most and level four ones processing the least.

Exactly how your organization uses plastic payment cards will affect which rules apply to your situation (such as whether you accept them exclusively for payments or also accept refundable deposits). It’s also worth mentioning that most of the rules are not technical; a solid 2/3s of them are more concerned about how your business operates than what OS you run. That’s not to say there are no technical requirements at all—and if you’re not already using secure passwords and multi-factor authentication then you need to start immediately—but most of them are actually aimed at ensuring your organization has the proper policies and procedures in place, like a disaster recovery plan.

PCI-DSS Rules Updates

The exact requirements can be found on the PCI security standards website, but there is one other wrinkle; the rules only get revised when necessary, so updates are sporadic and it can be difficult to keep track of the changes. Unlike software, which sometimes gets updated so often it becomes annoying, PCI-DSS requirements often go years between revisions. The most recent was in March 2022, more than than years ago. Fortunately the new rules came with a grace period and don’t go into effect until March 2025, but that deadline’s less than a year away already.

Nevertheless, although they can be sporadic and frustrating to keep track of, these sporadic updates are still improvements meant to better secure online transactions and promote regulatory compliance. That’s why we’ve identified two new rules from the latest update likely to improve security and compliance for everyone that get’s on board with them before March 2025.

Two PCI-DSS Rules and Perspectives

First, under the previous regime level four organizations (the smallest) were not strictly required to comply with the PCI-DSS rules, just strongly encouraged. That exemption has now been removed, which means that starting soon any organization that accepts any sort of plastic payment will be required to follow the complete set of rules, regardless of size.

Second, PCI-DSS leadership has committed to updating the standards every three years, which is a welcome change to the previous, inconsistent approach used previously. Having a predictable schedule for updates makes quick and comprehensive compliance with changes much easier to achieve.

Good rules and regulations aren’t static or unchanging; they’re dynamic, evolving to meet the needs of their era as society grows and changes over time. That creates either a responsibility for organizations to keep up with the latest standards or an opportunity for them to achieve superior cybersecurity depending on your perspective, but regardless of whichever is true for you, TRINUS can help. Contact one of our IT specialists to learn more about how we can help your organization stay cyber secure and compliant, and get yourself some stress-free IT.

This Shakespeare quote comes from Macbeth; “If you can look into the seeds of time, and say which grain will grow and which will not, speak then unto me.”


Be kind to one another, courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.