PCI DSS v4.0 is the upcoming version of PCI DSS and it is expected to be published in late 2021.
The main objective of this blogging content is to inform you on v4.0 which considers evolving risks to payment data and incorporates them into the requirements and also ensures that security is treated as a continuous process. Another important objective of v4.0 is to add more flexibility in the process by supporting organizations to use different methodologies in order to achieve PCI DSS security requirements.
At this stage, the main highlight was probably the feedback process itself as the Standards Security Council provided more opportunities for suggestions and comments by introducing additional RFCs and sharing drafts of the v4.0 standard with stakeholders for review. The idea was to enable stakeholders to have a more active role in the development process.
This is a brief overview of the timelines for PCI DSS v4.0
Q4 2019 to Q2 2021 – Review and incorporate RFC Feedback
Q2 2021 to Q2 2023 – Transition period from PCI DSS v3.2.1 to v4.0
Q2 2021 to Q1 2024 – Implementation of future-dated new requirements
The feedback process for PCI DSS v4.0 is different from previous versions of PCI DSS.
The feedback process for PCI DSS v4.0 introduces more opportunities for stakeholders to participate in the development process for the standard.
As per PCI SCC, some of the topics mentioned below have generated a lot of feedback.
· Protect cardholder data (CHD) with strong cryptography during transmission and use of self-signed/internal certificates
· Identify users and authenticate access
-Password parameters that align with industry guidance
-Comparing new passwords against a list of bad passwords
-Secure authentication and confirming all multi-factor authentication factors before providing any indication of success or failure
· Restrict physical access to cardholder data and also mainly focus on the specific location of sensitive areas within cardholder data environments
· Regularly test security systems and processes and use authenticated scanning for vulnerability scans to obtain accurate and detailed results.
· Support information security with policies and programs by
-Developing Usage policies for protecting critical technologies
-Conducting annual risk assessments
-Developing methodologies for data discovery and data leak prevention
Goals for PCI DSS v4.0
· Standard acts as a foundation to meet the security needs of the payments industry
· Add flexibility and support of additional methodologies to achieve security
· Promote security as a continuous process
· Enhance validation methods and procedure
The fundamental 12 requirements are not expected to change with PCI DSS v4.0 as it is considered the core component of the PCI DSS standard.
In PCI DSS v4.0, bringing in some requirements from DESV Appendix A3 into regular PCI DSS requirements is being considered during the review. This will help achieve comprehensive testing of critical controls like the effectiveness of methods used for data discovery, Incident response procedures, establishing responsibility for the protection of cardholder data, and a PCI DSS Compliance program.
The PCI DSS v4.0 draft includes the use of a customized approach which will provide more flexibility to the organizations to meet the objective of PCI DSS requirements using different methodologies.
PCI DSS has always been technology-neutral and the PCI DSS v4.0 standard is intended to apply to all kinds of environments and technologies. Appendix A1 is being reviewed to provide clarity to cloud service providers. Some requirements in PCI DSS v4.0 standard are designated as “future-dated” requirements. You can be prepared during the interim period and once the mentioned future date is reached, all future-dated requirements become applicable.
Organizations are strongly encouraged to maintain their PCI DSS V3.2.1 security controls which will definitely enable a smoother transition. You will have close to 2 years for the transition to v4.0. One point the SSC has repeatedly emphasized is about the RFC versions which are basically draft versions, and you should wait until PCI DSS v4.0 is released before implementing the updated requirements.
For more information, please refer to the PCI SSC Website https://www.pcisecuritystandards.org/