PCI DSS 4.0 Updates

Published on : 22 Jul 2020


pci dss 4.0 update

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard. The latest upgraded standards are expected to be released anywhere between the end of 2020-mid 2021. Similar to all the previous versions of PCI-DSS, the latest upcoming version 4.0 will be a comprehensive set of additional new guidelines for securing systems involved in the processing, storage, and transmission of credit card data.

The latest version is a updated set of mature standards that focuses on an “outcome-based” approach rather than a “must-implement” based approach. So, while organizations will still have to meet PCI DSS standards, however, they will have the freedom to select their approach towards meeting those standards. Organizations will no longer be expected to meet PCI standards word by word. As long as they can meet the standards adopting a robust approach organization are good to go.

Let us today through this article understand the intention of rewriting the set PCI DSS Standards with additional requirements by the PCI Council. The article will clearly outline the intention and also highlights the key changes anticipated with the upgraded version of PCI DSS 4.0

What is the intention behind the PCI DSS 4.0 update?

While PCI DSS was is considered a fairly mature Standard, the intention to upgrade it with an updated version 4.0 is to meet the growing requirements of the evolving security threat landscape to the payment data. The following are four major reasons behind upgrading PCI DSS 3.21 to PCI DSS 4.0.

  • Ensure the standard continues to meet the security needs of the payments industry.
  • Provide flexibility and support of additional methodologies to achieve security. 
  • Promote security as a continuous process.
  • Enhance validation methods and procedures.

Upgrading from PCI-DSS 3.21 to PCI DSS 4.0

PCI-DSS 4.0 which is officially set to release anytime between the end of 2020 or early 2021 is expected to improve the existing PCI-DSS 3.2.1 version in a few ways.

1. PCI-DSS 3.2.1 which is the current standard includes a series of objectives and very specific and stringent requirements that outline how companies must achieve their goals of Compliance. In other words, the standard set is extremely onerous. So, businesses that are not able to follow these steps to compliance implement compensating controls. This is a tedious and time-consuming procedure that requires an organization to go way beyond their intended primary controls.

See also  PCI DSS Requirement 10 - Changes from v3.2.1 to v4.0 Explained

2. PCI-DSS 4.0 on the contrary intends to replace the existing compensation controls with an alternate option of adopting a customized implementation approach. This alternate approach allows the entity to design and develop their security controls to meet Compliance Standards. So, as per the latest version, the organization has to determine the security controls for a given objective and accordingly submit detailed documentation outlining the approach adopt to achieve compliance and demonstrate its effectiveness to the Qualified Security Auditor (QSA). Based on the analysis of the documentation submitted the QSA takes a final decision on the effectiveness of the control.

3. The use of Cloud and server less computing is another key area addressed in the PCI DSS version 4.0. The security controls of the existing Version 3.2.1 were not designed for the current IT landscape. Whereas the PCI DSS 4.0 is expected to introduce an updated set of requirements and approach to securing cloud and server less data. Learn here more about : PCI DSS and Cloud Security.

4. Businesses can also expect the introduction of new control requirements in context to the expansion of the encryption of cardholder data over any transmission within trusted networks. Moreover, one can expect additional control requirement updates pertaining to passwords/login access with multi-factor authentication.

Anticipated changes in the PCI DSS v.40

While the 12 core requirements of the PCI DSS will remain the same, several new requirements are set to be introduced. The new requirements are intended to address the evolving security threats to payment data. Further, to bring in better flexibility in terms of adopting an approach to achieving compliance new rules and requirements have been set. Going ahead, to understand the new changes, we have listed the key changes that are anticipated in the updated version PCI DSS 4.0 and what an organization can expect from these probable changes. 

Key Changes anticipated in the latest version PCI DSS 4.0

Flexibility in Implementing procedures

Introduction to Customized Implementation as a replacement to compensation control is one of the major changes expected to be introduced in the latest version of PCI DSS 4.0. The new approach shall define security outcomes for every security control requirement. With this new approach companies can comply by adopting a customized approach and showing their intent of the requirement is met without having to provide any operational or technical justification. This will enable more flexibility in implementation procedures and meeting requirements intent of Compliance. However, the company needs to provide a detailed document to the QSA justifying the effectiveness of control with a custom implementation. The QSA will have to validate the same by running thorough tests to ensure the effectiveness of controls and verifying whether the company is Compliant. 

See also  PCI DSS Requirement 12 - Changes from v3.2.1 to v4.0 Explained

free consulting

Stringent security requirements-

While several new requirements will be introduced in the latest version PCI DSS 4.0, the ultimate goal of PCI DSS shall continue to remain the same, which is ensuring all entities are compliant to the standard in context to securing cardholder data that is stored, processed, and transmitted. Assuming the establishment of a higher benchmark in comparison to PCI DSS 3.21, the PCI Council is set to restructure many requirements and include a much more stringent security standard for achieving Compliance. 

Multi-factor authentication

The PCI SSC has for long been working with the Europay, Mastercard, and Visa consortium to improve the authentication standards for both control process access logins and payment processes. Keeping this in mind, the latest PCI DSS 4.0 version may focus on the use of a 3DS Core Security Standard for secure transaction authorization. As per the 3DS standard, it enables an organization to build pluggable authentication options for enhanced security and customer authentication. This step will not just ensure that controls meet the regulatory requirements, but shall also enable scalability to the company’s evolving transaction objectives.

Data Encryption

Prevailing cybersecurity threats in the industry calls for a more secure cardholder data protection measure. One of the key challenges that need to be addressed involves the use of malicious code that penetrate the trusted network. To address this very issue, PCI DSS 4.0 will provide necessary measures and guidelines for adopting industry-best security practices. This will ensure secure network transmissions of cardholder data. 

Monitoring Requirements to consider Technology Advancement 

The new PCI DSS 4.0 version may probably focus more on a risk-based approach. The Software Security Framework (SSF), which is soon to be a replacement of the PA-DSS will include a Secure Software Lifecycle component that shall enable companies to opt for their Software Development Lifecycle (SDLC) certified in the process. Adoption of this framework shall allow organizations to comply with standards while gaining quicker deployment of processes. While SSF may not be a requirement, it would still call for the engagement of an assessor on delta changes and would require a reassessment of the software every three years.

See also  PCI DSS Requirement 9 - Changes from v3.2.1 to v4.0 Explained

Greater Frequency of testing critical control

The latest version of PCI DSS 4.0 may possibly include DESV Requirements. While the previous version of PCI DSS 3.21 also included many DESV requirements, it is expected that critical control testing frequency may also make its way into the latest version. Earlier the DESV requirements were specifically meant for companies that experienced a breach. However, the requirements may now become an essential compliance standard for all businesses.

Also Read:- Implement Zero Trust Principles in PCI DSS

You can also watch the webinar here:

How can VISTA InfoSec help companies prepare for PCI DSS 4.0 Compliance?

While we expect some significant changes in the upcoming latest standard, they all seem to be positive for the industry in terms of data security.Having said that, for those organizations that might be affected, it would be prudent to review their existing process and security controls to determine the potential control changes they would need to prepare for when the new requirements come into effect. 

VISTA InfoSec has been involved in the consulting and audit for PCI DSS right from ver 1.2. With hundreds of clients and even payment brands availing of their audit services, this is the gotocompany if you are serious about Payment Data Security.

Learn whether your systems are PCI DSS compliant by availing VISTA InfoSec’s specialized testing solutions. We are a 16-year-old InfoSec Solution and Consulting Service Provider having all expertise in ensuring companies are compliant with their industry standards. We offer a wide range of assessments and advisory services tailored to your business framework. Availing our specialized services of PCI DSS Assessment, you can minimize risks of a breach, identify security vulnerabilities, and secure cardholder data effectively. Learn more about our InfoSec services and solutions by visiting our website www.vistainfosec.com or simply drop us a query on  askus[@]vistainfosec.com 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.