Key objectives of the PCI DSS 4.0 update:
- Continue to provide the critical foundation for securing payment data
- Promote security as an ongoing process
- Improve flexibility for organizations using a wide range of technologies
- Enhance validation methods and procedures
PCI 4.0 vs 3.2
Since version 3.2 of the PCI DSS was introduced, the technology used by organizations to accept and process card payments has evolved rapidly. Cybercriminals have also made advancements in their capabilities with new threats emerging to exploit weaknesses within payment systems and processes. PCI DSS 4.0 will help organizations ensure data security controls remain effective in a shifting landscape.
Contactless payments, including those processed by merchants using commercial off the shelf (COTS) mobile phones and tablets, is a key recent advancement that is creating new security risks. Rising cloud adoption, new software development practices, and an increasing dependency on third parties in the payment process are also trends that the PCI DSS has to adapt to in order to avoid becoming outdated.
Critical Updates to PCI DSS
- Scoping – Increased testing and documentation will be required for confirmation of the accuracy and completeness of scope of the cardholder data environment (CDE) and periodic scope validation processes.
- CHD Protection – Card encryption requirements will be expanded to include all transmissions of CHD instead of only those across public networks.
- Security Awareness Training – Requirements for training of end users will be enhanced to include more information regarding current threats, phishing, and social engineering.
- Risk Assessment – The Council recognizes that the current PCI DSS requirement that a risk assessment be conducted is not always resulting in useful risk analysis and risk management outcomes. This requirement will be modified to ensure that the risk assessment is not being treated as a “checkbox exercise” by organizations.
- Authentication – The new version of the DSS will provide more flexibility for the use of authentication techniques and solutions within the CDE to align them with industry best practices. There may also be some additional changes related to multi-factor authentication (MFA) requirements to expand the usage to all accounts that have access to CHD.
- Cloud Environments – Version 4.0 will evolve all requirements to be more accommodating for the use of technologies such as cloud hosting services.
- Sampling – Additional direction for assessors on sampling guidance will be included to verify that controls are in place consistently across the entire population.
PCI 4.0 Timing
PCI DSS 4.0 is not expected to be ready until mid-2021. In the meantime, the PCI Council has published updates to several existing standards. These include guidance around Point-to-Point Encryption and PIN Transaction Security Point-of-Interaction (PTS POI) standards and a new Annex for the Software-based PIN-entry on COTS (SPOC) standard.