Final version of PCI DSS v4.0 released

The long wait is over. After a lengthy RFC process that collected feedback for participating organizations and QSAC the PCI SSC has released the PCI DSS v4.0 Standard to general public, replacing the current v3.2.1 version.

This is a major milestone for the evolution of payment card industry security as the new version has been designed to address emerging threats and technologies and enable innovative methods to combat new threats.

PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.

Road to PCI DSS 4.0

The PCI DSS v4.0 draft has been provided for RFC in 2019, including new requirements and changes to existing requirements with the following goals:

  • Continue to Meet the Security Needs of the Payment Industry
  • Promote Security as Continuous Process
  • Add Flexibility for Different Methodologies
  • Enhance Validation Methods

Development of PCI DSS v4.0 was driven by industry feedback. Total of 3 rounds of RFCs on draft content have been done by the PCI SSC with feedback being provided by 200+ companies. In total over 6000 items of feedback have been received and processed by PCI SSC to ensure the standard continues to meet the complex ever-changing landscape of payment security.

What’s new in PCI DSS v4.0?

The changes to the security standard are exhaustive, with changes to existing requirements, completely new requirements and adding flexibility to the validation methodology of the assessment to be more responsive to the dynamic nature of payments and the threat environment. Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website. Some of the changes in the new standard:

Continue to meet the security needs of the payment industry.
  • Expanded multi-factor authentication requirements.
  • Updated password requirements.
  • New e-commerce and phishing requirements to address ongoing threats.
Promote security as a continuous process.
  • Clearly assigned roles and responsibilities for each requirement.
  • Added guidance to hep people better understand how to implement and maintain security.
  • New reporting option to highlight areas for improvement and provide more transparency for report reviewers.
Increase flexibility for organizations using different methods to achieve security objectives.
  • Allowance of group, shared and generic accounts.
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.
Enhance validation methods and procedures.
  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

Transition to PCI DSS v4.0

PCI DSS v3.2.1 and v4.0 will both be active for approximately two years, starting at the end of March 2022 when v4.0 have been released, until retirement of v3.2.1 on the 31st of March 2024. Once training become available to assessors in June, assessors can start assessing their entities against v4.0 r v3.2.1. Once 31st of March 2024 arrives, v3.2.1 will be retired, and all assessments will need to be against v4.0. Entities will have additional time of one year, before the future-dated requirements come into effect as part of a v4.0 assessment.

All of these future-dated requirements are noted in the standard as best practice until the 31st of March 2025. Entities are not required to validated against those until the date has been reached.

Want to know more?

If you would like to know more about the changes or seek help with the PCI DSS compliance, please do not hesitate to get in touch with us. We employ a number of skilled and experienced QSAs helping organizations with payment data security compliance preparations and assessments.

New PCI DSS v4.0 Blog Series
In the following weeks, we are going to cover the new security standard in a series of Blog entries, looking into details, new requirements and approaches the PCI DSS v4.0. Stay tuned for more information.

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!