PCI SSC has begun efforts on PCI Data Security Standard version 4.0 (PCI DSS v4.0). Here we provide more insight into the development process and how PCI SSC is looking at changing the standard to support businesses around the world in their efforts to safeguard payment card data before, during and after a purchase is made.
Industry Feedback will Shape PCI DSS v4.0
Industry feedback is shaping the next major release of PCI DSS.
PCI DSS v4.0 will incorporate input received from global PCI SSC stakeholders during the2017 request for comments (RFC) period. Some of the specific areas that stakeholders asked PCI SSC to review include:
Authentication, specifically consideration for the NIST MFA/password guidance
Broader applicability for encrypting cardholder data on trusted networks
Monitoring requirements to consider technology advancement
Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI SS requirements.
PCI SSC will also conduct additionalRFC periodswith PCI SSC stakeholders prior to publication of PCI DSS v4.0. Information about theRFCswill be posted onPCI SSC website, and PCI SSC stakeholders will receive communications with additional information on how to participate.
As part of theRFC process, all feedback received will be reviewed and considered in the development of the standard.
Goals for PCI DSS v4.0
The 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data. However, based on feedback received, PCI SSC is evaluating how toevolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape.PCI SSC is also looking at ways to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.
Key high-level goals for PCI DSS v4.0 are:
Ensure the standard continues to meet the security needs of the payments industry
Add flexibility and support of additional methodologies to achieve security
Promote security as a continuous process
Enhance validation methods and procedures.
PCI DSS v4.0 isnot anticipated for release prior tolate 2020. Specific timing on the release is dependent upon feedback received during the development period. PCI SSC will keep stakeholders updated on timing throughout the process.