In a press release published on March 31st, the PCI Security Standards Council (PCI SSC) announced v4.0 of the PCI Data Security Standards (PCI DSS).
The PCI DSS is a global standard covering technical and operational practices for system components included in or connected to environments with cardholder data.
In this blog post, we provide a brief overview of what’s new in this latest iteration of the standard. We also glance at the implementation timeline so that your business can get the ball rolling on the transition process.
What’s New in the PCI Data Security Standards v.4.0?
The new changes and requirements reflected in v4.0 address four main objectives:
- continue to meet the security needs of the payment industry;
- promote security as a continuous process;
- add flexibility for different methodologies; and
- enhance validation methods.
PCI DSS v4.0 comes with three types of changes: (1) evolving requirements, (2) clarifications/additional guidance, and (3) structural/formatting changes.
Evolving requirement changes include new/modified requirements and procedures. For example, concerning Requirement 1 (Install and Maintain Network Security Controls), v4.0 replaces v3.2.1’s “firewalls” and “routers” language with “network security controls” to acknowledge the broader range of technologies that are available to meet security objectives. Additionally, Requirement 2.1.2 - which requires roles and responsibilities for performing activities covered under Requirement 2 to be documented, assigned, and understood – is new in v4.0. Another new rule in v4.0, for example, is Requirement 12.5.2, which requires entities to document and confirm PCI DSS scope at least every 12 months and upon a significant change to the in-scope environment.
Clarifications/additional guidance changes update wording, explanations, and definitions as well as provide expanded information on particular topics. PCI DSS requirements generally apply to entities with environments where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted and to entities with environments that can impact the security of the cardholder data environment (CDE). PCI DSS v4.0 provides updated language in the “Applicability Information” section, clarifying that “requirements may also apply to entities with environments that do not store, process, or transmit account data – for example, entities that outsource payment operations or management of their CDE.”
Structural/formatting changes involve edits to the organization of the document. Some of these structural/formatting changes include reformatted overview sections and new summaries accompanying each principal requirement.
Furthermore, to support flexibility in how security objectives are met, PCI DSS v4.0 offers two approaches for implementing and validating PCI DSS: defined approach and customized approach. A customized approach to a particular requirement allows entities to implement security practices and controls that meet the purpose of the requirement, but in a way that does not strictly follow the defined requirement.
This latest iteration of the PCI Data Security Standards v4.0 – is designed to replace the most recent version, v3.2.1, which was first released back in 2018.
As for the timeline, v3.2.1 will remain active for two more years until its retirement date of March 31, 2024.
Future-dated new requirements will become effective on March 31, 2025. For example, Requirement 220.127.116.11 of v4.0 - which is a new requirement that defines the frequency of periodic evaluations of system components not at risk for malware in an entity’s targeted risk analysis – will be considered a best practice until March 31, 2025 (after which it will be required).
PCI DSS v4.0 brings significant changes and new approaches, and businesses will have until March 31, 2024, to effectuate a transition to this latest version of the standard. Businesses can find the newest version of the standard and supporting documentation in the “Document Library” section of the PCI SSC’s website. Our highly experienced attorneys are prepared to provide up-to-date and practical compliance counsel in connection with PCI DSS.
* Attorney Advertising: prior results do not guarantee future outcomes.