For the last few years, we have witnessed how the paradigm has been changing in the use and implementation of payment services. Which must keep aligned to security standards.

As security consultants and auditors, we have followed these new concepts and had been looking forward to their incorporation into the new standard. And, already in early 2022, they ended this wait and released PCI DSS version 4.0.

This new version is valid at the same time as the previous version 3.2.1. The reason for this is that we are going through a transition period that allows companies to be adapting. Therefore, both versions are equally valid until March 31, 2024.

From now to March 31, 2025, some of the requirements of version 4.0 only required partial compliance and suggest full compliance as a best practice. After that date, all requirements will need to be in full compliance.

Please, look at the timeline in the picture below:
timeline pci 4.0
Picture from: PCI DSS v4.0 At-a-Glance: https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

What is the goal of the new PCI 4.0?

 

Since 2017, the PCI Council has received feedback through 3 RFCs (Requests for Comments), in which more than 200 companies have participated on over 6,000 items.

This new version has been based on four goals that the PCI Council has set itself:

  • Continue to meet the security needs of the payments industry.
  • Promote Security as a Continuous Process.
  • Add Flexibility for Different Methodologies.
  • Enhance Validation Methods and procedures.

These goals stem from understanding the growth of cyber-attacks and the need to minimize the level of risk when protecting data in the payment environment.

Because many organizations empathised that the work dynamics and the security controls should match better in the new version. Different methods have been proposed by organizations to cover the security objectives proposed by PCI. The claim has been heard and it is the most relevant change of this new version since it allows to include custom controls by holding onto the control object.

Enhance the validation of security methods and procedures described in audit reports such as the RoC (Report of Compliance), the Self-Assessment Questionnaire, and the summary of the AoC (Assessment of Compliance).

We recommend reviewing the changes documented in “PCI DSS Summary of Changes“. This will allow you to identify the changes between the current version and the previous one.

Read more about:
PCI DSS v4.0: https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
PCI DSS v4.0 Summary of Changes: https://www.pcisecuritystandards.org/documents/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf
Press Release: Securing the future of payments: PCI SSC publishes PCI Data Security Standard v4.0
PCI DSS v4.0 Resource Hub: https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub
PCI DSS v4.0 At-a-Glance: https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf