PCI DSS Version 4.0: Updates & Insights

Wolf & Company recently attended the 2019 North American PCI Community Meeting in Vancouver. This year’s meeting focused on the continuous changes that are occurring within the Payment Card Industry (PCI) due to evolving technologies, security methods, and industry best practices. These changes led to the inevitable evolution of the PCI Data Security Standard (PCI DSS). The PCI Security Standards Council (SSC) provided a preview on what that next version will look like with PCI DSS v4.0.

PCI DSS version 4.0 is a complete rebuild from version 3.2.1. It is the first time that the PCI DSS guidelines have undergone a major change since the finalization of version 3.0 in 2013. The emphasis of revision 4.0 is to present requirements in a more objective and outcome-based way, with expanded overviews and direction of requirements. Additionally, there have been many conditions added to account for new revelations in PCI security and PCI compliance, along with an increased reliance on cloud-based technologies and service providers. Lastly, while the structure and 12 core requirements have remained the same from v3.2.1, version 4.0 includes a complete revision and reorganization of sub-requirements and testing procedures, with many sub-requirements rearranged and combined, in some cases.

The most notable change to PCI DSS v4.0 is there will now be two offered implementation options: Defined Implementation and Customized Implementation. The Defined Implementation follows the current PCI DSS requirements and testing procedures. There are no deviations in the handling of controls, and testing occurs as it does currently. The new method is the Customized Implementation. The goal of Customized Implementation is to focus on the intent of each PCI DSS requirement. Doing this provides much greater flexibility for entities to demonstrate how their security controls meet common security objectives. This would eliminate the need for entities to complete Compensating Control Worksheets.

Validation of the Customized Implementation differs from the Defined Implementation, as well. There are no pre-defined test procedures for the Customized Implementation. It is now necessary for the entities to provide documentation of the security controls they have in place and how they meet the intent of the PCI DSS Requirement. The assessor must then define the testing procedures and determine what level of testing is required. Both the Defined Implementation and Customized Implementation can be used within one assessment.

The initial draft release of PCI DSS v4.0 is scheduled for late October 2019, with a Request for Comments (RFC) period extending for about six weeks. An additional RFC will occur in early 2020 with a final revision of v4.0 likely being released towards the end of 2020.

To discuss PCI DSS v4.0 further, reach out to Austin P. Reis, CISA, CISM, QSA, PCIP, CCSFP, at [email protected] or (617) 261-8116.