The Payment Card Industry Security Standards Council (PCI SSC) is slated to publish PCI DSS v4.0 in March 2022. While a timeline recently released by the PCI SSC calls for a transition period from the current version (v3.2.1), it’s important for merchants to be prepared for coming changes. Here’s a review of what we know so far.
Transition Basics
According to the most recent updated transition timeline released on the PCI SSC website in June 2021, PCI DSS v3.2.1 will “remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including Self-Assessment Questionnaires, Reports on Compliance, Attestations of Compliance), training, and updates are released.”
The transition period, the PCI SSC explains in the notice, is intended to give organizations “time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements.” Upon completion of the 18-month transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
Nonetheless, according to the website, there will be an extra period of time beyond the transition period “defined for phasing in new requirements that are identified as ‘future-dated’ in v4.0.” As laid out on the website, “in PCI DSS, new requirements are sometimes designated with a future date to give organizations additional time to complete their implementations. Requirements that are future dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements.”
“While validation is not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.”
“We anticipate that PCI DSS v4.0 will contain a number of new requirements that may be future dated; however, we won’t know the exact number until the standard is finalized.”
New Elements
As we mentioned in the introduction to this blog, we won’t know exactly what v4.0 will bring to the table. But other updates on PCI DSS v4.0 made public by the PCI SSC provide some hints.
In general, the PCI SSC has repeatedly noted, v4.0 will be “more flexible, outcome-based, and more focused on a risk-based approach to securing cardholder systems and data.” In keeping with this, it will zero in on the four primary security objectives of the PCI DSS, which call for:
- Making certain that the standard satisfies the security needs of the payments industry
- Flexibility, so that any additional methodologies aimed at ensuring security can be incorporated and supported
- Promoting security as a continuous process
- Improving any and all validation methods and procedures
Merchants should keep in mind that based on the new focus, v4.0 will reportedly include provisions for an alternative to compensating controls. V3.2.1 and earlier versions of the standard were prescriptive—in other words, they included a series of objectives and specific requirements for achieving them. V4.0 will still contain the existing prescriptive method for compliance, but it also replaces compensating controls with customized implementation.
Customized implementation considers the intent of individual objectives set forth in the standard and gives entities the option to configure their security controls to attain each one. Caveat: Once an entity has configured the security control for a particular objective, it must provide its Qualified Security Assessor (QSA) with full documentation, to enable the QSA to make a final decision about the effectiveness of the security control in question.
What Else is in Store
The updated standard will also likely include a few additional elements merchants would do well to anticipate. For example, the core controls included in v3.2.1 were not designed to apply to securing cloud and serverless workloads. Now that these have become mainstream, updated requirements that do apply to them are expected.
So, too, are new control requirements. Case in point: expanded use of cardholder data encryption to encompass any data transmission. “Any” includes data transmission within trusted networks. A control requirement pertaining to passwords and logins falls under this umbrella.
Finally, there will almost definitely be more stringent requirements in general. Accompanying them: Mandated Designated Entities Supplemental Validation (DESV) for all companies, rather than only for companies that have fallen victim to a security breach.
E-Complish recently attained PCI DSS recertification for the 13th consecutive year and is dedicated to maintaining—and helping merchants maintain—strict adherence to the standard and other applicable data standards.