All businesses that process payments via credit card face a certain amount of risk with every transaction. On one level, fraudulent payments are always a concern. But on another, cardholder information is extremely valuable, and cybercriminals who target it can impact your clients and business. To keep your customers safe and avoid the potential consequences of noncompliance, it’s important to know what the PCI DSS 4.0 draft is.
Below, we’ll break down what it is and why it matters.
What is the PCI DSS 4.0 Standard Draft?
In order to protect businesses that process credit card payments, The Security Standards Council (SSC) of the Payment Card Industry (PCI) has developed a set of security requirements and best practices known as the Data Security Standard (DSS). Since version 1.0 in 2004, the DSS’s various updates have governed cybersecurity for all cardholder data.
The DSS’s core has remained basically the same over its 15+ years of life. However, there have been periodic changes made to update its requirements as technology has matured—both for companies processing card payments and for cybercriminals looking to victimize them.
The PCI DSS v4.0 draft standard is the current state of its newest edition, which is still a work in progress. It’s referred to as a “draft” because PCI SSC is fielding a lengthy request for comments (RFC) process that allows stakeholders to help shape the upcoming DSS.
Why Does the PCI DSS 4.0 Draft Standard Matter?
The new draft of PCI DSS matters because credit card security affects everyone. Compliance with PCI standards ensures safety for your company, clients, and all stakeholders who a data breach could impact. That’s why you need to remain up-to-date on what PCI requires.
And, as the draft draws closer to its final form, necessary changes are just around the corner.
According to PCI’s anticipated timeline for PCI DSS v4.0, the final version of v4.0 should be completed by the second quarter of 2021. Then, a lengthy transition process will begin, during which PCI will work to create various supporting documents to help companies update their practices. PCI DSS v3.2.1 is expected to be retired in quarter 2 of 2023.
The new v4.0 requirements should go into effect beginning in the first quarter of 2024. If you’re not already thinking about what these changes will mean for you, you need to start immediately.
PCI DSS 4.0 Draft: All You Need to Know
While it’s impossible to be sure until v4.0 is complete, all signs indicate that PCI DSS v4.0 will not entail significant changes to the underlying core of DSS. The PCI SSC itself has indicated as much in its guide outlining what to look out for as v4.0 approaches.
The four main goals the PCI SSC outlines for v4.0 are:
- Continuing to meet security needs of the industry
- Adding flexibility in ways to meet requirements
- Promoting security as an ongoing process
- Enhancing validation techniques
These goals account for some of the most common requests made by industry stakeholders who have participated in ongoing RFC since 2017. Among the most commonly requested updates involve nuances of authentication (multi-factor options) and frequency of testing.
Overall, the requirements you’ll need to follow will be very similar to what they have been in v3.2.1, which has been in effect since 2018—in many cases, they’ll be the same.
Download Our PCI DSS Checklist
Requirements and Controls for PCI DSS 4.0
There are 12 core requirements that make up the core of the PCI DSS. As noted above, these are most likely not changing, in essence, as we move from v3.2.1 to v4.0. So, understanding what they are in v3.2.1 is key to understanding what they will likely be in v4.0.
The 12 core requirements fall into six main categories:
- Secure network systems:
- Requirement 1: Install and maintain firewall configurations
- Requirement 2: Change all vendor-supplied defaults
- Protecting cardholders’ data:
- Requirement 3: Protect cardholder data in storage
- Requirement 4: Encrypt cardholder data for transmission
- Vulnerability management:
- Requirement 5: Keep antimalware software up to date
- Requirement 6: Ensure security across all systems and applications
- Access control measures:
- Requirement 7: Limit access to data based on business need
- Requirement 8: Require identity authentication for access
- Requirement 9: Limit physical access to protected data
- Monitoring and Testing:
- Requirement 10: Monitor all access to cardholder data
- Requirement 11: Test and analyze security systems
- Information security policy:
- Requirement 12: Maintain security policy addressing all personnel
Each of these requirements also entails a variety of specifications that detail the controls and practices needed to comply with the requirement. These sub-requirements are where any change coming to v4.0 is likely to happen—that’s how it’s been in past changes.
Changes from Prior Versions of PCI DSS
Although major changes to the core requirements are not anticipated, this does not mean that no changes to the requirements will occur. The best way to guess at what kinds of changes are in store is to look to change summaries published by PCI as supporting documents to the DSS.
PCI recognizes three kinds of changes in its documentation of revisions:
- Additional guidance
- Evolving requirements
Across these three, the last are most significant; they modify what compliance entails by changing or adding to the specific implementation of a given requirement. For example, three such evolutions from across the years include:
- Between v1.2.1 and v2.0 – In 2010, requirement 6.2 evolved to include ranking of vulnerabilities by a predetermined set of criteria it provides.
- Between v2.0 and v3.0 – In 2013, a new sub-requirement was introduced (2.4) to include inventorying system components and configuration standards
- Between v3.1 and v3.2 – In 2016, another new sub-requirement (220.127.116.11) specified that penetration testing on segmentation controls must occur every 6 months.
Whether v4.0 will entail any such evolutions of existing requirements, or addition of more sub-requirements, is yet to be seen. Compliance with v4.0 may be similar to what it has been with v3.2.1.—or, you may need to take action to prepare.
How to Achieve and Maintain PCI DSS Compliance
The best way to prepare your company for any and all changes you may need to make when v4.0 comes into effect is bringing in professional help. To that end, RSI Security offers a robust suite of PCI DSS 4.0 preparation services, including but not limited to:
- Onsite security assessment and patch management
- Vulnerability scanning and penetration testing
- Employee education and training
Not only will we help you get ready for compliance; we’re also happy to assess and certify you once you are. Check out our PCI DSS v4.0 data sheet, and get in touch to start preparing!
RSI Security: Professional Compliance and Cybersecurity
The team of experts here at RSI Security has over a decade of experience providing cybersecurity solutions to companies of all kinds and sizes, across every industry.
We can assist you in compliance with not only PCI DSS, but any other regulatory frameworks you’re obligated to follow. And that’s not all: we know that compliance is just the start of security. We’re also happy to help with any and all other cyberdefense needs you have.
For help understanding what the PCI DSS 4.0 draft means for you, contact RSI Security today!
Schedule a free consultation