PCI DSS V4.0 is on its way

So,  PCI DSS v4.0 has started its development journey and is expected to be released sometime late 2020.  The actual release date will largely depend on the feedback received during the development review process.

So what is the development process? 

From 6 September to 15 November 2017 (yes 2017!!!), the PCI Security Standards Council offered stakeholders the opportunity to provide comments and feedback.  In addition to the usual request for feedback on the different areas of the standard, the Council asked specific questions aimed at understanding how it could better support organisations secure payment card data and increase the adoption of PCI DSS.

The Council has stated that it will also conduct an additional request for comment (RFC) periods prior to the publication of PCI DSS v4.0.

Who are the stakeholders and how do I get involved?

Stakeholders are PCI Participating Organisations, Affiliate and Strategic Members and Qualified Security Assessors (QSA).  If you want to get an involved look here – https://www.pcisecuritystandards.org/get_involved/request_for_comments

What do we know about PCI DSS v4.0?

What we do know are some of the specific areas that the stakeholders were asked to comment on, namely:

  • Authentication, specifically consideration for the NIST MFA/password guidance
  • Broader applicability for encrypting cardholder data on trusted networks
  • Monitoring requirements to consider technology advancement
  • Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements.

We do not anticipate that the twelve (12) core requirements will fundamentally change as these are still seen as the critical foundations for securing payment card data.  That said, the Council has advised that based on the feedback received, it is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques and the threat landscape.  It is also looking at ways to introduce greater flexibility to support organisations using a broad range of controls and methods to meet security objectives, including

  • Ensuring the standard continues to meet the security needs of the payments industry
  • Adding flexibility and support for additional methodologies to achieve security
  • Promoting security as a continuous process
  • Enhancing validation methods and procedures.

So what happens now?

We will keep you posted with developments as and when we become aware.  We understand how important it is know what is coming and being able to prepare and transition in good time.  However, right now, your focus should continue to be on ensuring you maintain compliance with v3.2.1.  With the Council’s focus on v4.0, an interim version or update to v3.2.1 is not expected and something significant would need to occur in order to change the planned course.