Mid-2020, fall 2021—the PCI Security Standards Council (PCI SSC) has set several planned release dates for v4.0 of the Payment Card Industry Data Security Standard (PCI DSS). The targeted publication date for PCI DSS v4.0 is now Q1 2022—and while the details of the new version are not yet known, information available now indicates some significant changes ahead.
According to the PCI SSC, the new timeline “supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents,” the PCI SSC. “A preview of the draft standard will be provided to Participating Organizations, Qualified Security Assessors (QSAs), and Approval Scanning Vendors (ASVs) prior to being finalized for publication.”
Focus on Main Objectives
Among anticipated significant changes to be introduced with v4.0 is a shift to focus on the PCI DSS’ four primary security objectives:
- Ensuring that the standard continues to meet the security needs of the payments industry
- Incorporating flexibility for and support of additional methodologies to ensure security
- Promoting security as a continuous process
- Enhancing validation methods and procedures
In keeping with this focus, PCI DSS v. 4.0 will include provisions for an alternative to compensating controls. More specifically, v. 3.2.1 and earlier versions of the standard were prescriptive: They included both a series of objectives (for example, the objective to protect cardholder data) and specific, standard requirements (primary controls) as to how these objectives would be attained. Businesses that could not follow a prescriptive step for PCI compliance were required to implement a compensating control that went “above and beyond” the intent of the primary contact itself.
PCI DSS v4.0 still contains the existing prescriptive method for compliance. However, it also replaces compensating controls with customized implementation, which considers the intent of individual objectives outlined in the standard and allows entities to configure their security controls to attain that objective. However, once an entity has the security control for an objective in question, it cannot stop there. Instead, it is required to provide its QSA with full documentation so that the QSA may make a final decision about the effectiveness of the proposed control.
In other areas of the anticipated change, the updated standard will reportedly bring to the table:
- Updated requirements and approaches to securing cloud and serverless workloads because the core controls set forth in v 3.2.1 were not designed to apply to them
- New control requirements—for example, expanded use of cardholder data encryption to encompass any data transmission, including data transmission within trusted networks, and a control requirement around passwords/login
- More stringent security requirements in general
- Mandated Designated Entities Supplemental Validation (DESV) for all companies—rather than only for companies that have experienced a security breach
The PCI SSC has announced that the preview of v4.0 for Participating Organizations, QSAs, and ASVs has been scheduled for January 2022. It will include the draft of the standard, along with a Summary of Changes document. “The final versions of the standard, together with validation documents and the first phase of translations of the standard, are scheduled for formal release in March 2022,” the PCI SSC notes in a recent communication on its website.
E-Complish recently attained PCI DSS recertification for the 12th consecutive year and is dedicated to maintaining strict adherence to the standard (as well as to other data security standards).