PCI SSC has begun efforts on PCI Data Security Standard version 4.0 (PCI DSS v4.0). Here we provide more insight into the development process and how PCI SSC is looking at changing the standard to support businesses around the world in their efforts to safeguard payment card data before, during and after a purchase is made.
Industry Feedback will Shape PCI DSS v4.0
Industry feedback is shaping the next major release of PCI DSS.
PCI DSS v4.0 will incorporate input received from global PCI SSC stakeholders during the 2017 request for comments (RFC) period. Some of the specific areas that stakeholders asked PCI SSC to review include:
- Authentication, specifically consideration for the NIST MFA/password guidance
- Broader applicability for encrypting cardholder data on trusted networks
- Monitoring requirements to consider technology advancement
- Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements.
PCI SSC will also conduct additional RFC periods with PCI SSC stakeholders prior to publication of PCI DSS v4.0. Information about the RFCs will be posted on PCI SSC website, and PCI SSC stakeholders will receive communications with additional information on how to participate.
As part of the RFC process, all feedback received will be reviewed and considered in the development of the standard.
Goals for PCI DSS v4.0
The 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data. However, based on feedback received, PCI SSC is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape. PCI SSC is also looking at ways to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.
Key high-level goals for PCI DSS v4.0 are:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures.
PCI DSS v4.0 is not anticipated for release prior to late 2020. Specific timing on the release is dependent upon feedback received during the development period. PCI SSC will keep stakeholders updated on timing throughout the process.