PCI DSS 4.0 Is Coming… What Should Businesses Expect?

PCI DSS 4.0 featured

After several delays and timeline shifts to accommodate vendor and auditor feedback, the Payment Card Industry Security Standards Council will release the newest version of the framework, PCI DSS 4.0. This standard, expected to launch at the end of March 2022, will fundamentally alter some key components of the framework to help support payment acceptance for modern devices and consumers. 

Here is what we are expecting to come down the pipeline once PCI 4.0 hits the market. 


What Is the History of PCI DSS 4.0?

For several years now, PCI DSS compliance has been derived from version 3.2.1 (colloquially known as “three-two-one”). This long-standing standard, launched in May 2018, was a series of smaller clarifications to the previous 3.2 version, the end result of a long evolution in security and privacy requirements in the payment card industry. 

The journey of the PCI framework started in 2004 and followed a version path as follows:

Version 1

This first version, published in 2004, provided basic but comprehensive security that met the needs of contemporary threats. Physical and online retailers were expected to comply with these regulations, covering encryption, data security and privacy. Over time, additional measures were added to this version, including revisions and the requirement to add firewalls to systems (Version 1.1) and updated security requirements for evolving online shopping and banking (Version 1.2). 

Version 2

This version, released in 2010, took feedback gathered from a group of Qualified Security Assessors (QSA) to update the requirements. Updates in this version included the provision to restrict data access to a “need-to-know” basis, including more advanced data encryption and implementing security controls to manage encryption keys for payment processing technologies. 

Version 3

Released in 2013, this standard included new updates on how to secure mobile devices and cloud computing platforms, both emerging technologies in the payment and eCommerce industries. This version also introduces the requirement for annual penetration testing. 

Version 3.2 saw a major update to the PCI standard. Released in 2016, the framework introduced requirements for multifactor authentication (MFA), updates to Transport Layer Security (TLS) requirements and added layers of security and reporting around data privacy and security. 


What’s Going On with PCI DSS 4.0?


This major standard update is expected to launch in Q1 of 2022, and it seems like the PCI SSC is on schedule to hit this date. 

Here’s what we know about version 4.0 right now:

  • Transition: Once version 4.0 is officially released, version 3.2.1 will remain in effect for roughly two years to facilitate retailer and IT manufacturer transition periods. Once version 3.2.1 is retired (expected date: March 31, 2024), then all entities will be expected to follow the newest standard for compliance. 
  • Assessments: Even though documentation will hit the public by March 2022, training for assessors will not be widely available until June 2022. At this point, Qualified Assessors can start providing compliance assessments against the newest version. 
  • Continued Compliance: Both versions (4.0 and 3.2.1) will be active for a brief period. According to the PCI SSC, businesses will be able to choose which standard they will seek compliance for. This will allow these organizations to comply with the standing framework (version 3.2.1) while preparing for version 4.0. 

As we have seen, the Security Standards Council provides organizations with plenty of time to make their transition to the newest standard. This buffer is warranted because version 4.0 is set to overhaul much of the standard to help meet modern security threats in the eCommerce and retail industries. 

Because the standard is still under review, the parties assessing the newest version are under NDAs and are thus unable to discuss the changes. However, there are several major shifts that many organizations in the industry are expecting. 

Some of these changes include the following:

  • Adjustments to the 12 Security Requirements: At the heart of the PCI DSS standard are the 12 security requirements. These define the steps companies must take to protect cardholder data, including installing anti-malware and firewall technology and implementing encryption modules. An expected approach to these requirements under 4.0 is to provide customized implementation options. Businesses can opt to use prescribed instructions from PCI DSS standards or create customized implementations based on the intent of the requirement in their specific business (with proper justification, of course). 
  • Increased Security Requirements: With the changing landscape of payment information security, the newest PCI standard is expected to increase the complexity and strength of most technical requirements, including encryption, system security and on-premises privacy practices. 
  • Improved Authentication: While version 3.0 brought in requirements for MFA, version 4.0 is expected to expand identity and access control to meet standards for technologies like Single Sign-On (SSO), mobile device authentication and implementation of the 3DS Core Security Standard. 
  • Emphasis on Risk: Modern, comprehensive security approaches are almost uniformly turning to maturity and risk-based models. These approaches require organizations to step away from checklist implementations and take a more robust approach to their entire IT infrastructure. PCI DSS is no different, and version 4.0 is expected to leverage the PCI Software Security Framework to help businesses focus on risk management and rapid security deployment. 

However, these changes are theoretical, and we won’t know the full extent of PCI DSS 4.0 until the full standard is released to the public. As stated on the PCI DSS website, this release is slated for a March 2022 publication. Once that document is posted, we will continue to cover the changes, how they impact PCI DSS assessments and how we can support organizations making the transition. 


PCI DSS Compliance with Lazarus Alliance

Regardless of whether you are looking to meet the newest 4.0 requirements or maintain 3.2.1 compliance while adjusting to the new PCI DSS landscape, Lazarus Alliance is here to help. We are an experienced security firm with experience in the payment processing and financial services industry, and we can help you navigate changing PCI DSS standards as they emerge. 


Are You Preparing for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

Lazarus Alliance