The PCI DSS (Payment Card Industry Data Security Standard) is recognized as a comprehensive data security standard for payment card data in international payment systems. The Payment Card Industry Security Standards Council (PCI SSC) continues to develop the standard over time to keep pace with evolving risks and threats, the ever-changing IT and payment landscape and changing security requirements.
The PCI SSC has been working for a long time on the new, fundamentally revised version 4.0 of the standard. After three RFC phases over the past few years, the new version will now be officially published on the PCI SSC website in March 2022.
Some changes have already been announced and are presented below.
New validation options
The PCI SSC plans to make the standard more flexible. Traditionally, the intended way to fulfill a PCI DSS requirement is to follow it word for word. Now the PCI SSC plans to offer a choice: For almost any requirement, a company can either choose the traditional route of meeting it word for word, or it can use an individual, “customized” validation.
For each requirement in the standard, the objective that is to be achieved with the requirement is specified. If a company is of the opinion that it would like to achieve this goal in a way other than by following the requirement to the letter, it can document its path to this goal. This also includes a risk assessment to verify the appropriateness of the chosen “customized” path. This documentation, including the risk assessment, is then made available to the assessor. On this basis, the assessor identifies suitable test procedures for checking the implementation of the customized measures.
Changes to requirements
To ensure that PCI DSS compliance is maintained throughout the year, additional requirements have been announced by the PCI SSC, e.g. the need for
- The definition of roles and responsibilities for all PCI DSS-relevant topics, and for
- Regular reviews of the PCI DSS scope of application.
In addition, existing requirements will be adapted to changing threat situations and security requirements. Changes have been announced for the following topics, among others:
- Authentication requirements,
- Detection mechanisms and awareness-raising measures for current threats, as well as
- Risk assessments.
The use of 8-digit BINs will also have to be taken into account(see our blog entry).
The exact details of the changes will of course only be known after the final release.
Transition process
The PCI SSC has announced a transition period of two years, plus an additional transition period for fundamentally new requirements. So after the March 2022 release, take the time to read the new PCI DSS version, identify the changes and understand the impact on your environment. Use this year to plan the transition to PCI DSS v4.0 and decide when is the right time for your organization to move from version 3.2.1 to 4.0.
Your PCI DSS consultant or auditor can help you understand the intent behind the changes, your customization needs and the validation requirements. Please do not hesitate to contact them. If you do not yet have a PCI DSS contact, please get in touch with SRC’s subject matter experts.
To get an initial overview of the changes to the standard, you can also take part in our free PCI DSS v4.0 webinar on April 21/22: Click here to register.
