For anyone interested in security standards related to protection of payment card data, the PCI SSC (Payment Card Industry Security Standards Council) has publicly announced the updated timeline for the long awaited release of version 4.0 of the PCI DSS standard. This update brings the most extensive changes to the payment card data security compliance since the beginning of the PCI DSS program. While the final documentation has not yet been released publicly, some planned changes have been disclosed.
PCI SSC is currently planning to release the PCI DSS v4.0 standard in Q1 2022. This is a minor delay to the anticipated term of Q4 of 2021. However, the additional RFC period will be used for the validation documents.
Participating Organizations (PO), Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) will have access to the draft before the official release to help them familiarize themselves with the changes. This preview is scheduled for January 2022. The final version of the standard is scheduled for official release in March 2022.
Following the official release, the QSAs and ISAs will need to attend trainings before being able to assess the compliance against the updated standard. These trainings are planned to take place starting June 2022.
Below is the overview of the updated PCI DSS v4.0 timeline as released by the PCI SSC.
As with the previous releases, PCI SSC will allow a transition period to take place after the formal release. This transition enables entities to validate their compliance against the current version of PCI DSS (3.2.1) or the updated version 4.0.
The current version will remain active for 18 months after the formal release.
This transition period should allow organizations to assess the changes and prepare accordingly for the new requirements or validation.
The updated PCI Data Security Standard features some of the most extensive changes to the assessments yet. Not only in the form of new requirements, but also with a completely new way of validating compliance.
Currently, the PCI DSS contains a set of requirements grouped into twelve categories. Each of these requirements needs to be fulfilled by the assessed entity to be compliant with the standard. In the case where there is a reasonable business or technical justification of not being able to comply with a requirement, the assessed entities are provided with an option to implement compensating controls. These controls, while not in line with testing requirements of the PCI DSS, can fulfill the intent of the requirement differently. The effectiveness of these controls of course needs to be validated by the assessed entities as well as QSA during an assessment.
This approach has been significantly updated in the new version of PCI DSS v4.0. All requirements have been redesigned to focus on security objectives rather than only being specific required controls. The restrictions that required business or technical justification for compensating controls has been also removed. This allows the organizations to fulfill the intents of the requirements with much more flexibility.
This update to the compensating controls is now called Customized Validation and brings a new, flexible way for the entities to demonstrate compliance in an ever-evolving world of payment technologies.
The updated standard will feature some new requirements addressing evolving risks and threats to payment data. Unfortunately, until the standard is formally released these new requirements cannot be publicly disclosed, as some might still not make it to the final release.
Many of these requirements will be future-dated, meaning even when the current PCI DSS standard (v3.2.1) is retired, they will remain best practice and will not be required for the full compliance until their due date is reached.
The currently planned effective date for these requirements is Q1 2025. Organizations are there so provided with a grace period to get acquainted with and implement new requirements.
Want to know more?
If you would like to know more about the expected changes or seek help with the PCI DSS compliance, please do not hesitate to get in touch with us. We employ a number of skilled and experienced QSAs helping organizations with payment data security compliance preparations and assessments.