The PCI Security Standards Council (PCI SSC), a global payment security forum, published version 4.0 of the PCI Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to protect account data.
PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.
To provide organisations time to understand the changes in version 4.0 and implement any updates needed, the current version of PCI DSS, v3.2.1, will remain active for two years until it is retired on March 31, 2024.
Once assessors have completed training in PCI DSS v4.0, organisations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1. The standard also provides additional time for organisations to implement many of the new requirements.
Feedback from the global payments industry drove changes to the standard. Over the course of three years, more than 200 organisations provided over 6,000 items of feedback to ensure the standard continues to meet the complex, ever-changing landscape of payment security.
“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, SVP and Standards Officer of PCI SSC.
“Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations,” added Sutcliffe. “These updates are supported by additional guidance to help organisations secure account data now and into the future.”
Updates to the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organisations using different methods to achieve security objectives, and enhancing validation methods and procedures.
The latest version includes an updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
There is also an expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
In addition, there is increased flexibility for organisations to demonstrate how they are using different methods to achieve security objectives.
Further, the update provides the addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
