The new 4.0 release of the Payment Card Industry Digital Security Standard (PCI DSS) will include several major updates. While there is a lot of speculation about how it will change from the current version 3.2.1, a few rumors have leaked to the general PCI professional community. Below are some areas that are expected to change.
- Flexibility – 4.0 replaces compensating controls with customized implementation. With PCI DSS 4.0, organizations will be able to choose to perform the control as prescribed or opt for customized implementation. Using the Customized Approach as a compliance validation mode will present new benefits and considerations. Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.
- Cloud and Serverless Computing – The basic controls of the 3.2.1 version are not compatible with the modern IT developments that deal with cloud computing and security. Version 4.0 will introduce an updated set of requirements and approaches to securing cloud and serverless workloads.
- A deeper Focus on Multi-Factor Authentication – MFA/Password Guidance moves to the forefront in this new version. The PCI Security Standards Council (PCI SSC) places more focus on applying stronger authentication standards to payment and control process access log-ins.
- Control Requirements – 4.0 would be offering new control techniques, such as cardholder data encryption over any transmission, including those within trusted networks. The new version of PCI DSS 4.0 specifically addresses this issue, with best practices and insight on how to fully protect network transmissions.
- Technology Advancement – Using a risk-based approach rather than a prescriptive approach should allow for pluggable options. he adoption of these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.
- Critical Control Testing Frequency – It’s been rumored that the DESV (Designated Entities Supplemental Validation), requirements that were previously mandatory only for companies that had been compromised may be a mandated requirement for all companies to achieve compliance. This is a higher level of critical control testing, which includes a significant increase in the amount of testing required.
As we anxiously await the release of 4.0, remember that the PCI Council will not require you to comply with the new standard until likely 2023.
Want to learn more about PCI Compliance?
Schedule a call with one of our compliance subject matter experts today.
Marcela Denniston is a Cybersecurity Expert who has been building military-grade security operations teams since 2002. Today, she is the SVP of Marketing for Foresite Cybersecurity, where she uses her subject matter expertise to drive meaningful content and messaging that speaks to true cyber practitioners.