Recently, PCI Data Security Standard v4.0 was published by the PCI SSC. Read on to know more about it…
Version 4.0 of the PCI Data Security Standard (DSS) was published by the PCI Security Standards Council (PCI SSC), a global payment security forum.
PCI DSS is a global standard that establishes a set of technical and operational requirements designed to protect account data. PCI DSS v4.0 supersedes version 3.2.1 in order to handle emerging threats and technologies, as well as to enable innovative methods to counteract them. The new standard and the Summary of Changes document are now available on the he PCI SSC website.
The current version of PCI DSS, v3.2.1, will be active for two years until it is retired on March 31, 2024, t
To give organisations time to understand the changes in version 4.0 and implement any necessary updates, current version of PCI DSS, v3.2.1, will be active for two years until it will be retired on March 31, 2024. Organizations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1 after assessors have completed the PCI DSS v4.0 training. The standard also provides organizations more time to adopt many of the new requirements. The PCI Perspectives Blog has more information on the implementation timeline.
Changes to the standard were prompted by feedback from the global payments industry. More than 200 organizations gave over 6,000 items of feedback over the course of three years to ensure the standard continues to address the complex, ever-changing landscape of payment security.
Lance Johnson, Executive Director of PCI SSC, said “The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,”
“Our stakeholders provided substantial, insightful, and diverse input that helped the Council effectively advance the development of this version of the PCI Data Security Standard.”
The standard has been updated to address the payments industry’s evolving security needs, promote security as a continuous process, increase flexibility for businesses using different methods to achieve security objectives, and enhance validation methods and procedures. The PCI DSS v4.0 Summary of Changes document on the PCI SSC website contains more information on the updates.
Changes in PCI DSS v4.0
The following are some of the examples of the change in PCI DSS v4.0:
Updated firewall terminology to network security controls to support a larger range of technologies that can achieve the same security objectives as firewalls.
Multi-factor authentication (MFA) for all access into the cardholder data environment is being implemented for expansion of Requirement 8.
Organizations will have more flexibility in demonstrating how they are employing various methods to achieve security objectives.
Targeted risk analyses have been added to give entities more flexibility in determining how frequently they execute certain activities, based on their business needs and risk exposure.
Nitin Bhatnagar, Associate Regional Director – India, PCI Security Standards Council, said “With India being a highly targeted country by cyber hackers, securing payment data with data security standards in an evolving payment ecosystem is critical to build robust payments infrastructure keeping security at the centre of everything,”
“PCI DSS v4.0 is a unique example of how the Council is evolving security standards and validation programs to support a range of environments, technologies, and methodologies for achieving security. PCI DSS has always been technology-neutral and requirements are intended to apply to all types of environments.”
In addition to the updated standard, supporting documents published the PCI SSC Document Library also includes the Summary of Changes from PCI DSS v3.2.1 to v4.0, the v4.0 Report on Compliance (ROC) Template, ROC Attestations of Compliance (AOC), and ROC Frequently Asked Questions. In the following weeks, Self-Assessment Questionnaires (SAQs) will be published.
The standard and Summary of Changes will be translated into numerous languages to support global adoption of PCI DSS. These translations will be published in the months ahead, between March and June 2022.