What to Expect From PCI DSS v4.0?
by Deniz Güreler3 Eylül 20207 min read
by Deniz Güreler
PCI DSS is a set of standards established to protect cardholder data and reduce vulnerabilities. Businesses that store, process or transmit cardholder data are expected to comply with the requirements and security controls set by PCI SSC. In our previous blog post, we have outlined the objectives of PCI DSS, the core areas on security standards and how they help businesses and customers.
The requirements of PCI DSS aim to address the security threats and vulnerabilities within the industry, which are subject to change and evolve. Therefore, PCI DSS is continuously evolving through version updates and iterations to ensure the appropriate security controls are in place. We are now waiting for the new version, PCI DSS v4.0 to be finalized by 2021.
PCI DSS v4.0 is arousing interest since its preparation process completely involves the stakeholders and feedback from the industry. Feedback periods are regular for PCI SSC, however these periods were organized for the current versions rather than preparation of new version drafts and updates. In the case of PCI DSS v4.0, multiple RFC (Request for Feedback) periods are being organized to involve feedback from the industry in the development of the new version. The new thing in these periods is that the drafts of PCI DSS v4.0 are shared with the Participating Organizations and accessors to empower them to fully review and achieve transparency in the process. Having said that the PCI DSS v4.0 is being prepared with the involvement of the stakeholders within the industry, let’s see why updates and changes on the requirements are needed.
As the payment technologies and security landscape are continually changing, the need for up to date and inclusive security controls emerge. In a Q&A session with Troy Leach, the Chief Technology Officer of PCI SSC, he describes the need for PCI standards revision as follows[^1]:
If I look at the biggest changes in technology, especially technology used for payment acceptance, it comes down to three significant changes over the past several years: speed of delivery, diversity of payment acceptance methods and third-party dependency. PCI Standards are evolving to address these changes in technology and to meet the needs of the global payment card industry.
So, the new version of PCI DSS is focusing on addressing the speed of technology, increased complexity and how to implement security on all processes in emerging technologies. With the new version, PCI DSS standards are expected to be more flexible and adaptable to the new technologies.
It is important to note that the foundational requirements and security controls of PCI DSS are not completely changing, instead they are being revised and updated to address evolving security challenges. The main goal of the PCI DSS standards remains ensuring continuous security in every aspect of the businesses.
The high-level goals of PCI DSS v4.0 are given as[^2]:
Ensure the standard continues to meet the security needs of the payments industry
Add flexibility and support of additional methodologies to achieve security
Promote security as a continuous process
Enhance validation methods and procedures.
The current version PCI DSS v3.2.1 and the earlier ones are known to be prescriptive frameworks that expect businesses to adhere to strict requirements. The existence of such strict rules also required businesses to implement compensating controls if they were unable to follow the prescribed procedures. However, these compensating controls were both effortful and time-consuming for businesses to justify its validity and risk assessments in the evaluation and validation process. The increased flexibility objective of the new version comes with the introduction of customized implementation options.
Let’s take a look at the interview[^3] with Emma Sutcliffe, the Council’s Global Head of Standards to find out what we can expect from the PCI DSS v4.0. In the interview, she states that the requirements of PCI DSS are being revised to become more outcome-based. Well, what does this mean? Instead of reinforcing the strict rules, the intent of the requirements will be the main focus and the compliance evaluation will be based on the achieved security outcomes. She states that the shared draft of PCI DSS v4.0 involved the expected security outcomes of each requirement. This major update means businesses can implement appropriate security controls and methodologies of their choice.
Based on the outcome-based approach, PCI DSS v4.0 replaces the compensating controls with the customized implementation option to increase flexibility in the compliance process. Customized implementation is expected to give firms the option to implement security controls that are different from prescribed requirements within the PCI DSS. The key distinction is that organizations are no longer required to justify the business and technical legitimacy of the alternate control implementation as before. Since the compliance will be measured to the extent which the businesses meet the intent of the PCI DSS objectives and achieve the expected outcomes, businesses now have the flexibility to implement alternative methodologies and control mechanisms in their systems. It is also important to note that the prescribed validation methods are still in place, so the businesses can continue implementing the existing control mechanisms if they prefer to do so.
The drafts of PCI DSS v4.0 are shared only with the Participating Organizations and assessors within the RFC period and the standards are not finalized yet. However, PCI SSC has shared the common topics that most of the feedback generated in their blog as below[^4]:
Requirement 4: Protect cardholder data (CHD) with strong cryptography during transmission
Requirement 8: Identify users and authenticate access
Requirement 9: Restrict physical access to cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Support information security with policies and programs
Although the revisions and updates are subject to change, we can still estimate the areas of change within the foundational requirements. The new version is expected to be focusing on the strengthened encryption of cardholder data, increased access control requirements such as MFA and enhanced vulnerability scan and security tests. From the requirements 11-12 above, we can also expect updated security standards and controls for workloads in cloud computing and serverless architectures.
It is announced that the new version is aimed to be released in mid-2021 and associated supporting documents and program updates will be completed by the end of 2021. With the release of the PCI DSS v4.0, the current version PCI DSS v3.2.1 will be available for 2 more years to ensure smooth transition for organizations. During this transition period organizations can have enough time to adapt the upcoming changes and processes. Once the transition period expires in 2 years, organizations will be expected to comply with the new version.
So, when and how to start preparing for the PCI DSS v4.0? Bear in mind that PCI DSS standards will still be focusing on continuous security, so you can start preparing your organization now. You can work on aligning your responsibility and role structures in your business and define and limit the scope of your operations.
The customized implementation alternative definitely will be enabling organizations to save time, effort and possibly resources. However, this control mechanism requires a well-prepared documentation in compliance evaluation. When you set your security controls for the requirements, you should be able to present full documentation in your compliance process. Based on your documentation, your Qualified Security Assessor will be evaluating the effectiveness of these controls.
What you can do now is identifying your ISMS in terms of the processes, flows, structure and so on. A well-communicated ISMS policies and procedures will help your organization in the future documentation processes. Once the PCI DSS v4.0 is released, you can start incorporating the new standards as well. You can perform readiness assessments and vulnerability scans in the transition period to become fully prepared for the new version.
1: PCI Standards in 2019: Q&A with CTO Troy Leach https://blog.pcisecuritystandards.org/pci-standards-in-2019-q-and-a-with-cto-troy-leach
2: PCI DSS: Looking Ahead to Version 4.0https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0
3: 5 Questions About PCI DSS v4.0https://blog.pcisecuritystandards.org/5-questions-about-pci-dss-v4-0
4: A View into Feedback from the PCI DSS v4.0 RFCa https://blog.pcisecuritystandards.org/a-view-into-feedback-from-the-pci-dss-v4-0-rfc
Do you need any help on achieving PCI DSS Compliance Standards? Sufle Compliance Services help businesses achieve PCI DSS compliance through a well-defined certification roadmap and advisory on the whole process. an Appointment now to get secure and stay compliant!
A fresh new graduate and specializing in marketing, Deniz is excited to learn and share her knowledge on business technologies and technology culture. With her experience in technology companies during her school years, she is always excited to learn more about how technology transforms businesses.
We use cookies to offer you a better experience.