To meet the evolving and complex needs of payment security, the PCI Security Council, a global payment security forum, announced on March 31 it has published its version 4.0 of the PCI Data Security Standard (PCI DSS). PCI DSS provides a baseline of technical and operational PCI DSS compliance requirements that are designed to protect account data. The previous iteration was v3.2.1.
V3.2.1 v. 4.0
The 4.0 version replaces the current 3.2.1 version and “addresses emerging threats and technologies and enables innovative methods to combat new threats,” according to the council’s statement.
Since version 3.2.1 of the PCI DSS was introduced, the technology used by organizations to accept and process card payments has evolved rapidly. Cybercriminals have also made advancements in their capabilities with new threats emerging to exploit weaknesses within payment systems and processes. PCI DSS 4.0 will help organizations ensure data security controls remain effective in a shifting landscape.
Contactless payments, including those processed by merchants using commercial off the shelf (COTS) mobile phones and tablets, are creating new security risks. Rising cloud adoption, new software development practices, and an increasing dependency on third parties in the payment process are also trends that the PCI DSS has had to adapt to, to avoid becoming outdated.
Goals of the PCI DSS 4.0 Update
The council cited several reasons for the update, including:
- Meeting the evolving security needs of the payment industry
- Promoting security as a continuous process
- Updating firewall terminology to support a broader range of technologies
- Implementing multi-factor authentication for all cardholder access
- Increasing flexibility for organizations using a wide range of technologies
- Enhancing validation methods and procedures
How Do You Become PCI DSS Compliant?
The current version of PCI DSS still works and will remain active until it’s due to retire on March 31, 2024.
Pending the training materials and exam, the quality security assessors at 360 Advanced are gearing up to get certified to assess clients on v4.0. The training materials and exam that each PCI quality security assessor needs to pass are not available until June or July of this year. 360 Advanced’s QSAs are due to take the training and pass the exam to be certified on v4.0 as soon as it is possible.
Clients might be concerned about when they must meet any new requirements introduced by v4.0. The PCI Council plans these changes with plenty of time for assessors to get certified and familiarized with the new requirements as well as allowing time for client adoption.
In the meantime, clients can still be assessed against v3.2.1 to maintain their v3.2.1 compliance while working to implement the new v4.0 compliance requirements.
At 360 Advanced, we are ready to work with you to develop a plan to become v4.0 compliant. We look forward to scheduling your assessments accordingly.