After several delays and timeline shifts to accommodate vendor and auditor feedback, the Payment Card Industry Security Standards Council will release the newest version of the framework, PCI DSS 4.0. This standard, expected to launch at the end of March 2022, will fundamentally alter some key components of the framework to help support payment acceptance for modern devices and consumers.
Here is what we are expecting to come down the pipeline once PCI 4.0 hits the market.
What Is the History of PCI DSS 4.0?
For several years now, PCI DSS compliance has been derived from version 3.2.1 (colloquially known as “three-two-one”). This long-standing standard, launched in May 2018, was a series of smaller clarifications to the previous 3.2 version, the end result of a long evolution in security and privacy requirements in the payment card industry.
The journey of the PCI framework started in 2004 and followed a version path as follows:
Version 1
This first version, published in 2004, provided basic but comprehensive security that met the needs of contemporary threats. Physical and online retailers were expected to comply with these regulations, covering encryption, data security and privacy. Over time, additional measures were added to this version, including revisions and the requirement to add firewalls to systems (Version 1.1) and updated security requirements for evolving online shopping and banking (Version 1.2).
Version 2
This version, released in 2010, took feedback gathered from a group of Qualified Security Assessors (QSA) to update the requirements. Updates in this version included the provision to restrict data access to a “need-to-know” basis, including more advanced data encryption and implementing security controls to manage encryption keys for payment processing technologies.
Version 3
Released in 2013, this standard included new updates on how to secure mobile devices and cloud computing platforms, both emerging technologies in the payment and eCommerce industries. This version also introduces the requirement for annual penetration testing.
Version 3.2 saw a major update to the PCI standard. Released in 2016, the framework introduced requirements for multifactor authentication (MFA), updates to Transport Layer Security (TLS) requirements and added layers of security and reporting around data privacy and security.
What’s Going On with PCI DSS 4.0?
This major standard update is expected to launch in Q1 of 2022, and it seems like the PCI SSC is on schedule to hit this date.
Here’s what we know about version 4.0 right now:
- Transition: Once version 4.0 is officially released, version 3.2.1 will remain in effect for roughly two years to facilitate retailer and IT manufacturer transition periods. Once version 3.2.1 is retired (expected date: March 31, 2024), then all entities will be expected to follow the newest standard for compliance.
- Assessments: Even though documentation will hit the public by March 2022, training for assessors will not be widely available until June 2022. At this point, Qualified Assessors can start providing compliance assessments against the newest version.
- Continued Compliance: Both versions (4.0 and 3.2.1) will be active for a brief period. According to the PCI SSC, businesses will be able to choose which standard they will seek compliance for. This will allow these organizations to comply with the standing framework (version 3.2.1) while preparing for version 4.0.
As we have seen, the Security Standards Council provides organizations with plenty of time to make their transition to the newest standard. This buffer is warranted because version 4.0 is set to overhaul much of the standard to help meet modern security threats in the eCommerce and retail industries.
Because the standard is still under review, the parties assessing the newest version are under NDAs and are thus unable to discuss the changes. However, there are several major shifts that many organizations in the industry are expecting.
Some of these changes include the following:
- Adjustments to the 12 Security Requirements: At the heart of the PCI DSS standard are the 12 security requirements. These define the steps companies must take to protect cardholder data, including installing anti-malware and firewall technology and implementing encryption modules. An expected approach to these requirements under 4.0 is to provide customized implementation options. Businesses can opt to use prescribed instructions from PCI DSS standards or create customized implementations based on the intent of the requirement in their specific business (with proper justification, of course).
- Increased Security Requirements: With the changing landscape of payment information security, the newest PCI standard is expected to increase the complexity and strength of most technical requirements, including encryption, system security and on-premises privacy practices.
- Improved Authentication: While version 3.0 brought in requirements for MFA, version 4.0 is expected to expand identity and access control to meet standards for technologies like Single Sign-On (SSO), mobile device authentication and implementation of the 3DS Core Security Standard.
- Emphasis on Risk: Modern, comprehensive security approaches are almost uniformly turning to maturity and risk-based models. These approaches require organizations to step away from checklist implementations and take a more robust approach to their entire IT infrastructure. PCI DSS is no different, and version 4.0 is expected to leverage the PCI Software Security Framework to help businesses focus on risk management and rapid security deployment.
However, these changes are theoretical, and we won’t know the full extent of PCI DSS 4.0 until the full standard is released to the public. As stated on the PCI DSS website, this release is slated for a March 2022 publication. Once that document is posted, we will continue to cover the changes, how they impact PCI DSS assessments and how we can support organizations making the transition.
PCI DSS Compliance with Lazarus Alliance
Regardless of whether you are looking to meet the newest 4.0 requirements or maintain 3.2.1 compliance while adjusting to the new PCI DSS landscape, Lazarus Alliance is here to help. We are an experienced security firm with experience in the payment processing and financial services industry, and we can help you navigate changing PCI DSS standards as they emerge.
Are You Preparing for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.
Developing Key Risk Indicators in GRC
Organizations in regulated industries can’t just meet security standards; they need to predict them one, three, or five years down the road. The ability to predict, measure, and manage risks is becoming a core competency, and Key Risk Indicators are foundational to this effort. Key Risk Indicators, when properly developed, empower organizations to move from...Continue reading→
Interpreting Requirements and Controls in CMMC
CMMC has fundamentally transformed the landscape for defense contractors operating within the DIB. With mandatory compliance deadlines looming and contract requirements becoming increasingly stringent, organizations can no longer afford to treat cybersecurity as an afterthought. Yet for many contractors, the path to CMMC Level 2 compliance remains fraught with challenges that extend far beyond simple...Continue reading→
How CMMC Impacts Subcontractors and Supply Chain Risk
While most of the focus of CMMC is on primary contractors, subcontractors (especially small and mid-sized firms) play an equally critical role in ensuring information security across the supply chain. As such, they are increasingly in the spotlight, both in terms of compliance requirements and as focal points for supply chain risk. However, their smaller...Continue reading→
Startups in CMMC: Scaling Compliance Without Enterprise Resources
For startups in the defense sector, CMMC is a double-edged sword. On the one hand, working in the DIB is a massive opportunity for most startups. Conversely, the costs and complexity of compliance can overwhelm lean teams with limited resources. This is why startups increasingly turn to CSPs and MSPs to achieve CMMC compliance without...Continue reading→
The Evolution of FedRAMP in 2024
2024 has been a watershed year for FedRAMP, ushering in significant structural, procedural, and technological advancements to the program meant to streamline authorization and make bringing cloud products to federal agencies easier. From new governance to new paths to authorization, we’re recapping FedRAMP’s changes in 2024.
FedRAMP Agile Delivery Pilot: Redefining Cloud Security and Compliance
FedRAMP has been a cornerstone of cloud adoption in the federal sector, ensuring that cloud service providers meet rigorous security standards. However, as digital transformation accelerates and government agencies seek faster adoption of innovative solutions, traditional compliance methods have proven time-consuming and resource-intensive. To address these challenges, FedRAMP has introduced the Agile Delivery Pilot, a...Continue reading→
What Is the Shared Responsibility Model?
Cloud environments are now the common foundation of most IT and app deployments, and the extended use of public cloud infrastructure means that many companies rely on shared systems to manage their data, applications, and computing resources. While public cloud computing is a cost-effective way to support these kinds of deployments, it also adds several...Continue reading→
The Role of Container Security in Maintaining FedRAMP Compliance for Cloud Services
As federal agencies increasingly adopt cloud-native applications, containerized environments have become essential for deploying and scaling applications efficiently. Containers allow developers to package applications with all dependencies in isolated, consistent environments that run across multiple platforms, making them a popular choice for cloud service providers. However, this rise in container use also introduces unique security...Continue reading→
Challenges in Scaling FedRAMP Compliance for IoT
FedRAMP is typically designed for traditional IT and cloud environments. However, IoT ecosystems’ highly interconnected and complex nature introduces new security, compliance, and management hurdles for organizations attempting to expand their FedRAMP perimeter. Scaling FedRAMP compliance across IoT networks requires advanced strategies and technologies to meet FedRAMP’s stringent requirements while addressing IoT-specific vulnerabilities. This article...Continue reading→
Advanced Cloud Security Automation for FedRAMP Compliance
FedRAMP is essential for cloud service providers working with federal agencies. It ensures that cloud products and services meet rigorous security standards, especially given the growing reliance on cloud solutions in the public sector. Advanced cloud security automation can significantly improve FedRAMP compliance by streamlining compliance processes, reducing manual overhead, and enhancing continuous monitoring, making...Continue reading→
Related Posts