Payment Card Industry Data Security Standard (PCI DSS) 4.0 is on the horizon. More details are expected late 2020 with the requirements to be in use in mid-2021. There have been a few releases from the PCI Council on what to expect in the new version of the digital security standard:
Added Flexibility. as of PCI DSS 3.2.1 (and earlier) you had to meet a control as prescribed or provide a compensating control. The compensating controls had to go above and beyond the PCI DSS requirements. It is expected that PCI 4.0 will provide for customized implementations which will be not exact to the prescribed control, but ‘meet the intent’ of the control.
Authentication changes. The Council has indicated through its work with Europay it’s desire to incorporate NIST MFA and password guidance. This should allow for less password changes and complexity if also secured with a second factor such as an app or smart card.
Monitoring. More risk-based than detailed prescription. This should allow of quicker adoption of new technology in the threat detection arena. If the risk is mitigated by the technology. then it’s adoption should not be hampered.
More continuous testing. In PCI DSS 3 we saw the beginnings of this, as technologies have advanced the idea of continuous vulnerability and penetration testing as well as other testing controls have become possible, so why limit it to once a quarter or twice a year? The more promptly and regularly the testing data can be acted on the better.
Trusted networks. It has been assumed the PCI network was secure or trusted and others were untrusted. Expect to see more ‘zero trust’ ideas even in the trusted PCI zone.
PCI DSS 4.0 is looking like a welcome change.