JUNE 2021 UPDATE: PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. Read this blog post for more information: Updated PCI DSS v4.0 Timeline
Industry feedback, together with the changes in payments, technology, and security, is driving our approach to PCI DSS v4.0. In discussions with industry stakeholders, we have received a number of questions about PCI DSS v4.0. Below we interview Lauren Holloway, Director, Data Security Standards, who answers some key questions about what is happening with PCI DSS v4.0.
Note: All dates mentioned in this article are based on current projections and are subject to change.
Where is PCI DSS v4.0 in the development process?
Lauren Holloway: The request for comment (RFC) that took place from October-December in 2019 generated over 3,000 comments, and PCI SSC is carefully reviewing and considering every item of feedback that was received. An additional RFC is planned for September-October 2020. This RFC will include an updated draft of PCI DSS v4.0, which we are currently developing based on the feedback received during the 2019 RFC.
More information about our upcoming RFCs and our RFC process can be found on our RFC Page.
When will PCI DSS v4.0 be released?
Lauren Holloway: The final version of PCI DSS v4.0 is currently planned for completion in mid-2021.
It’s worth noting that the development timeframe for this PCI DSS update is noticeably longer than in previous revisions. This extended timeframe was designed to support an increased number of feedback opportunities for stakeholders to provide input during the update process.
Will a detailed analysis of the feedback received during the 2019 RFC be provided?
Lauren Holloway: Once we have finished reviewing the more than 3,000 RFC feedback items and making updates to the PCI DSS v4.0 draft, an RFC Feedback Summary will be provided to the 2019 RFC participants via the PCI Portal. This summary, showing how each item of feedback was addressed, will be available to those participants when the next PCI DSS RFC takes place. Additionally, we will be providing updates to the PCI Council community as decisions are made via our quarterly stakeholder webcasts and at our Community Meetings planned for later this year.
When will the Self-Assessment Questionnaires (SAQs) be updated and what will the updates include?
Lauren Holloway: Updates to supporting documents, including SAQs, Report on Compliance (ROC) Template, PCI DSS Glossary, and Prioritized Approach are part of the revision cycle whenever PCI DSS is updated. We will begin working on updates to all supporting documentation to align them with PCI DSS v4.0 later this year and will provide updates as development progresses. We are planning to have these documents completed and ready for release within a few months of the final PCI DSS v4.0 release.
Here is an overview of the current timeline for the PCI DSS v4.0 development effort, including RFCs and planned completion of PCI DSS v4.0 materials.
How much time will organizations have to implement v4.0 once it is published?
Lauren Holloway: Once PCI DSS v4.0 is released, an extended transition period will be provided for organizations to update from PCI DSS v3.2.1 to PCI DSS v4.0. To support this transition, PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.
Note: The PCI DSS v4.0 standard is scheduled for completion six months prior to the release of the supporting documentation, training, and program updates that are required to support the use of PCI DSS v4.0. The PCI DSS v4.0 standard will therefore be available for 2 years prior to the retirement of PCI DSS v3.2.1.
This extended period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version.
In addition to an 18-month period when v3.2.1 and v4.0 will both be active, there will be an extra period of time defined for phasing in new requirements that are identified as “future-dated” in v4.0.
What are “future-dated” requirements and when will they come into effect?
Lauren Holloway: In PCI DSS, new requirements are sometimes designated with a future date to give organizations additional time to complete their implementations. Requirements that are future dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements. While not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.
We anticipate that PCI DSS v4.0 will contain a number of new requirements that may be future dated; however, we won’t know how many new requirements there will be until the standard is finalized.
While the effective future date for these new requirements will not be confirmed until PCI DSS v4.0 is ready for publication, it will provide enough time for organizations to plan and implement new security controls and processes as needed to meet all the new requirements. The future date will be dependent on the overall impact that the new requirements will have on the standard. Based on the current draft, the future date is expected to extend beyond the planned transition period, with a possible future date being between 2½ – 3 years after PCI DSS v4.0 is published.
An overview of the planned transition timeline and potential timing for future-dated requirements is shown below.
Will a draft of PCI DSS v4.0 be published prior to being finalized?
Lauren Holloway: Drafts of standards are shared with PCI SSC stakeholders for review and input. The next draft of PCI DSS will be provided to QSA companies, ASV companies and Participating Organizations for review and comment during the next RFC period in September/October this year.
I’d like to participate in the next PCI DSS v4.0 RFC. How can I participate?
Lauren Holloway: Any organization can become a Participating Organization. In addition to providing feedback on draft PCI Security Standards, the benefits of becoming a Participating Organization include the ability to propose, vote for and participate in Special Interest Groups, attend annual PCI SSC Community meetings with two complimentary passes, and demonstrate to your customers and business partners your commitment to payment security. Read more about the full benefits and how to become a PO here.
What can our organization do now to prepare for PCI DSS v4.0?
Lauren Holloway: While PCI DSS v4.0 is under development, we encourage all entities to remain diligent and maintain their PCI DSS v3.2.1 security controls. Not only will this help ensure continued security, but this will facilitate transition to PCI DSS v4.0.
Organizations that have had access to early drafts are strongly urged to wait until the final version of PCI DSS v4.0 is released before trying to implement any new or updated requirements. The RFC versions are draft only, and the standard will be different in the final released version.