The PCI DSS (Payment Card Industry Data Security Standard) is well known as a comprehensive data security standard for payment card data of the international payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, fundamentally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.
New validation options
PCI SSC plans to add more flexibility to the standard. Traditionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the traditional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appropriateness of the customized way. This documentation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing procedures to verify the implementation of the customized controls.
To make sure PCI DSS compliance is kept up throughout the year, additional requirements are announced by the PCI SSC, e.g. the necessity for
- Definition of roles and responsibilities for all PCI DSS relevant topics; and for
- Regular verification of PCI DSS scope.
In addition, existing requirements will be adapted to threat and security evolvement. Changes to requirements on the following topics are forecasted:
- Authentication requirements,
- Detection mechanism and awareness measures for ongoing threats, and
- Risk assessments.
Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.
The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.
So after publication in March 2022, take your time to read the new PCI DSS version, identify the changes, and understand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.
Your PCI DSS consultant or assessor can help you understanding the intention of changes, your need for migration, and the validation requirements. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS responsible.
To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.