The PCI Security Standards Council (PCI SSC) is developing the fourth iteration of its data security standard, commonly known as PCI DSS. This version 4.0 won’t arrive until the middle of 2021, and many of the details are speculative right now. Still, compliance and security professionals should anticipate the changes likely to come, and allow ample time to bring your company into compliance with these new expectations. 

The PCI DSS was last updated in 2018. Since then, the PCI council has expanded its feedback system to solicit more feedback from stakeholders. That feedback takes time to digest, but it also gives participating organizations an opportunity to communicate their needs to the PCI council and play a more active part in the revision process. 

Any organization that’s interested can offer feedback during these requests for comment. PCI stakeholders include qualified security assessors (QSAs), service providers, industry experts, and PCI vendors, among others. Participants can offer feedback via requests for comment or in community meetings the PCI holds around the world. The process allows anyone involved in the payment card industry to have a voice in how version 4.0 will take shape. The process considers both existing PCI standards that need revision, as well as new standards that might be created in the future. 

The PCI SSC held its first request for comment (RFC) for the 4.0 update in 2019. More RFCs were held in September and October of 2020. Stakeholders have expressed numerous concerns that will likely be addressed in version 4.0 somehow

  • Increased guidance for authentication protocols, particularly with regards to NIST and multi-factor authentication passwords;
  • Increased ability to encrypt cardholder data;
  • Ongoing monitoring of past requirements, to ensure that they are evolving alongside new technology;
  • Increased testing and the potential to elevate some lesser requirements and apply them to a larger group of organizations. 

Meanwhile, the PCI council has stated that PCI DSS 4.0 will focus primarily on security and flexibility. The stated priorities are:

  • Maintain the current foundation for data security as it applies to current technological trends; and 
  • Create more flexibility for organizations that are using new methods to achieve compliance with the PCI DSS objectives.

These security objectives were largely chosen to ensure that the methodology behind the PCI DSS can evolve alongside advancements in both technology and cyber attacks. The planned updates in version 4.0 will create new requirements that will protect payment card data from risks and threats as they evolve; and reconsider existing requirements to ensure that those standards still support organizations meeting them through evolving methodology. 

For example, this new version could see a more consistent and thorough approach to data encryption might apply to more businesses at all levels. The existing Designated Entities Supplemental Validation (DESV) requirements might also be required of a broader range of organizations, which could mean that companies must revise their approaches to security controls and scope validation.

The 12 core PCI DSS requirements are not expected to change, although updates to supporting documents such as self-assessment questionnaires (SAQs) and reports on compliance (ROC) will be forthcoming. After the release there will be an 18-month transition period where PCI DSS version 3.2.1 will remain active, giving organizations time to update their forms and make the necessary shifts to move to 4.0. 

It’s also expected that many requirements will be future-dated; which will give companies time to adjust their compliance until the implementation deadline arrives. The completion of this process—and full adherence to the requirements of version 4.0—is expected by early 2024. 

The best way to prepare for PCI DSS 4.0 is to maintain the compliance your company already has in place. The security council has urged companies to wait until the new version is complete rather than try to achieve PCI compliance based on drafts that are still in progress, and therefore subject to change.