Site icon

PCI DSS 4.0 Is Coming… What Should Businesses Expect?

PCI DSS 4.0 featured

After several delays and timeline shifts to accommodate vendor and auditor feedback, the Payment Card Industry Security Standards Council will release the newest version of the framework, PCI DSS 4.0. This standard, expected to launch at the end of March 2022, will fundamentally alter some key components of the framework to help support payment acceptance for modern devices and consumers. 

Here is what we are expecting to come down the pipeline once PCI 4.0 hits the market. 

 

What Is the History of PCI DSS 4.0?

For several years now, PCI DSS compliance has been derived from version 3.2.1 (colloquially known as “three-two-one”). This long-standing standard, launched in May 2018, was a series of smaller clarifications to the previous 3.2 version, the end result of a long evolution in security and privacy requirements in the payment card industry. 

The journey of the PCI framework started in 2004 and followed a version path as follows:

Version 1

This first version, published in 2004, provided basic but comprehensive security that met the needs of contemporary threats. Physical and online retailers were expected to comply with these regulations, covering encryption, data security and privacy. Over time, additional measures were added to this version, including revisions and the requirement to add firewalls to systems (Version 1.1) and updated security requirements for evolving online shopping and banking (Version 1.2). 

Version 2

This version, released in 2010, took feedback gathered from a group of Qualified Security Assessors (QSA) to update the requirements. Updates in this version included the provision to restrict data access to a “need-to-know” basis, including more advanced data encryption and implementing security controls to manage encryption keys for payment processing technologies. 

Version 3

Released in 2013, this standard included new updates on how to secure mobile devices and cloud computing platforms, both emerging technologies in the payment and eCommerce industries. This version also introduces the requirement for annual penetration testing. 

Version 3.2 saw a major update to the PCI standard. Released in 2016, the framework introduced requirements for multifactor authentication (MFA), updates to Transport Layer Security (TLS) requirements and added layers of security and reporting around data privacy and security. 

 

What’s Going On with PCI DSS 4.0?

PCI DSS 4.0

This major standard update is expected to launch in Q1 of 2022, and it seems like the PCI SSC is on schedule to hit this date. 

Here’s what we know about version 4.0 right now:

As we have seen, the Security Standards Council provides organizations with plenty of time to make their transition to the newest standard. This buffer is warranted because version 4.0 is set to overhaul much of the standard to help meet modern security threats in the eCommerce and retail industries. 

Because the standard is still under review, the parties assessing the newest version are under NDAs and are thus unable to discuss the changes. However, there are several major shifts that many organizations in the industry are expecting. 

Some of these changes include the following:

However, these changes are theoretical, and we won’t know the full extent of PCI DSS 4.0 until the full standard is released to the public. As stated on the PCI DSS website, this release is slated for a March 2022 publication. Once that document is posted, we will continue to cover the changes, how they impact PCI DSS assessments and how we can support organizations making the transition. 

 

PCI DSS Compliance with Lazarus Alliance

Regardless of whether you are looking to meet the newest 4.0 requirements or maintain 3.2.1 compliance while adjusting to the new PCI DSS landscape, Lazarus Alliance is here to help. We are an experienced security firm with experience in the payment processing and financial services industry, and we can help you navigate changing PCI DSS standards as they emerge. 

 

Are You Preparing for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version