A new version of the PCI Data Security Standard (PCI DSS) has been published today by the PCI Security Standards Council (PCI SSC), the global payment security forum.
Version 4.0 of the standard, which provides a baseline of technical and operational requirements designed to enhance payment security, will replace version 3.2.1 to help combat emerging threats and technologies. In addition, the updates are designed to enable innovative methods to combat new threats. PCI SCC said that the changes were driven by feedback from the global payments industry over the past three years, encompassing over 6000 items from more than 200 organizations.
Among the changes included in PCI DSS v4.0 are:
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities as best suited for their business needs and risk exposure.
The current version, v3.2.1, will remain active for two years until March 31 2024. This will provide relevant organizations with time to understand v4.0 and implement the updates.
PCI SCC has published a number of supporting documents alongside the updated standard in the PCI SSC Document Library. These include the Summary of Changes from PCI DSS v3.2.1 to v4.0, the v4.0 Report on Compliance (ROC) Template, ROC Attestations of Compliance (AOC) and ROC Frequently Asked Questions. In addition, Self-Assessment Questionnaires (SAQs) will be published in the coming weeks.
Lance Johnson, executive director of PCI SSC, said: “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”
Emma Sutcliffe, SVP, standards officer of PCI SSC, added: “PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment. Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”
Commenting on the updates, Michael Johnson, ISA, CISSP executive director, governance risk and control, JP Morgan Chase, stated: “Over the last two years, the PCI SCC has invited payments industry stakeholders to participate in the development of the new PCI DSS v4.0. The collaborative efforts of many – including Participating Organizations and QSAs – enabled the Standard to provide new flexibility in addressing the requirements’ mindful technology advances. PCI DSS v4.0 is the natural evolution of the council’s mission of securing the globally evolving payments ecosystem.”
In 2020, a study by Verizon found that compliance with PCI DSS has declined by 28% since 2016.