Changes Coming in PCI DSS v4.0: What Does it Mean for You?

May 19, 2021

As our threat landscape continues to evolve and expand—and the number of data breaches with successful record exposures increases—cybersecurity, risk management, privacy, and compliance professionals are looking at existing standards, mandates, regulations, and frameworks to find opportunities to close gaps that leave organizations exposed to potential attacks. 

By the end of this year, we’re likely to see some of these changes come to fruition when an updated version of Payment Card Industry Data Security Standards (PCI DSS)—Version 4.0—becomes public.

First, What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standards. These standards encompass technical and operational requirements, which the PCI Security Standards Council (PCI SSC) oversees. The council designed the standards to protect cardholder data and all organizations that accept store, process, or transmit credit card and other payment information must comply.

The PCI DSS framework helps organizations protect sensitive cardholder data and outlines how to prevent potential breaches and how to detect active breaches (or attempts) within your systems, including what to do if you have a breach.

In addition to merchant requirements, PCI SSC also outlines other requirements that directly affect software and app developers such as the Payment Application Data Security Standard (PA-DSS). There are also PIN Transaction Security (PTS) requirements for organizations that create devices used for credit card transactions.

PCI DSS consists of 12 individual core requirements and 251 sub-controls.

Why Are Changes Coming?

If your organization processes, stores, or transmits credit cardholder data, you must be compliant with PCI DSS standards.

The existing PCI DSS controls are almost a decade old, with only a few updates made since PCI DSS v 3.0 came out back in 2013. Since then, both the threat landscape (think more assets, more asset types, and related increasing vulnerabilities) has continuously evolved with new and emerging threats coming to light daily.

As new payment card technologies emerge and are adopted, and the risk of potential breaches increases along with them, new and revised controls are needed to safeguard credit card data. In addition, organizations are often requesting more clarification and guidance on industry standards, like PCI DSS.

According to Verizon’s 2020 Payment Security Report, in 2019 only 27.9% of organizations assessed for PCI DSS compliance reached 100% compliance, down from a high of 55.4% at full compliance in 2016, and nearly 10 points down from 2018. It will be interesting to see similar statistics for 2020, during which the coronavirus pandemic added additional challenges for organizations across all industries around the globe.

Compliance numbers are also complicated by a growing impact of the lack of skilled information security professionals around the world, making it ever difficult for organizations to protect and secure PCI and other sensitive data.

What to Expect in PCI DSS v4.0

Back in early 2019 when PCI SSC announced v4.0 was in the works, it established four key goals for the upcoming edition:

  • Ensure standards meet security needs for the payments industry
  • Add flexibility and support additional methodologies for security
  • Promote security as a continuous process
  • Enhance validation methods and related procedures

The council said anticipated changes are expected to reflect a need for payment industry organizations to protect data in a rapidly changing ecosystem and to also give organizations more flexibility to use a broader range of methods and technologies to meet their PCI DSS objectives.

During a presentation at the 2019 PCI Community Meeting in October 2019, Troy Leach, PCI SSC Engagement Officer for Market Intelligence and Stakeholder Engagement, said v4.0 will expand to include new security risks, including the addition of intention statements to help organizations understand how they should validate security relevant to today’s changing payment landscape.

PCI SSC is taking a new approach to the evolution of v4.0. In the past, PCI DSS updates were generally only open for one comment period, but for this version, there will be two RFCs involving full drafts of the standards and information about the proposed changes.

As part of the review process, PCI SSC issued a Request for Comments (RFC) seeking industry feedback to guide the final version in October 2019. There will be another RFC likely in the middle of 2021.

In addition to comments from the two RFC periods, the council also indicated it would incorporate feedback it previously received from its 2017 RFC period on PCI DSS v3.2 that asked PCI SSC to look at:

  • Authentication, specifically for the NIST MFA/password guidance
  • Broader applicability to encrypt cardholder data on trusted networks
  • Monitoring requirements for technology advancement
  • Greater frequency of testing of critical controls (incorporating requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements)

During the 2019 RFC period, the council received more than 3,000 comments and set to work reviewing that feedback. In February 2021, the council said the v4.0 release date was still to be determined, but they would update its status in the coming months, citing the RFC planned for June 2021 with publication sometime after that.

While these and other changes are taken into consideration, PCI SSC said it does not anticipate any fundamental changes with the current 12 core PCI DSS requirements:

  1. Firewall Configurations: Install and maintain a firewall configuration to protect all cardholder data
  2. System Defaults Management: Ensure vendor-supplied defaults are changed and unnecessary default accounts are disabled before installing systems on your network.
  3. Stored Cardholder Data Protection: Use industry-accepted algorithms to encrypt stored cardholder data and limit data retention time.
  4. Encrypt Cardholder Data: Incorporate encrypted transmissions for sending cardholders’ primary account numbers (PAN) over public and open networks.
  5. Anti-virus Software: Use and regularly update anti-virus software or programs, including use on all systems vulnerable to malware, breaches, compromise, or attacks. Make sure your point-of-sale (POS) and other third-party vendors also use updated anti-virus software.
  6. Secure Systems and Applications: Keep your systems and applications up to date with the latest patches and security fixes so hackers cannot penetrate security vulnerabilities.
  7. Restrict Access to Cardholder Data: Maintain a need-to-know policy for cardholder data, including a role-based access control (RBAC) system.
  8. ID Management: Make sure every person with computer access has a unique, complex, and detailed ID.
  9. Restrict Access to Cardholder Data: Restrict physical access to cardholder data. Don’t keep sensitive files in the open, and always maintain a current list of authorized payment device users.
  10. Track and Monitor Networks: Track and monitor all access to network resources and cardholder data. For example, install log management technologies to monitor access and review logs daily.
  11. Test Security Systems: Regularly test security systems and processes. For example, plan penetration tests and conduct ongoing vulnerability scans.
  12. Information Security Policy: Keep updated documentation of your policies and procedures. They can be used as evidence for compliance proof. Your policy should address information security for employees and contractors.

What’s Next?

Once the new standards are released, organizations will have an extended transitionary period to make the move from PCI DSS v3.2.1 to PCI DSS v4.0. As such, v3.2.1 will stay active for 18 months after the standard—and all supporting documents including a self-assessment questionnaire (SAQ), report on compliance (ROC), and attestation of compliance (AOC), as well as program updates and training—are released.

According to the PCI SSC timeline, they anticipate PCI DSS v 4.0 will be complete six months before the supporting documents, training, and updates will be available. The standard will then be available for a total of two years before the retirement of PCI DSS v3.2.1, at which time all organizations are expected to be in compliance with version 4.0.

In addition to the standards for compliance by the time PCI DSS v3.2.1 is retired, there will be other “future-dated” requirements included in v4.0. Some requirements get this designation so organizations can have additional time to successfully implement them. In the interim, they’re considered best practices up until the “future date” is reached. It is not yet known how many “future dated” requirements will be in v4.0.

A Quick Look at the Evolution of PCI DSS

While existing PCI DSS controls are about 10 years old, their origins go back even further.

In late 1999, for example, Visa announced its Cardholder Information Security Program (CISP), which established security standards it expected its merchants to meet for online transactions. Other larger companies also had similar initiatives, but merchants struggled to meet many of the requirements and online credit card fraud was on the rise.

By 2004, five major credit card companies— American Express, MasterCard, Discover, Visa, and JCB International—united to unify security standards and released PCI DSS 1.0 in December of that year, with the expectation that by June 2005, all merchants that process at least 20,000 credit card transactions annually should be compliant.

Those first guidelines remained in place until 2006 when those core credit card companies announced they were forming the PCI Security Standards Council (PCI DSS) to oversee standards and help the industry push through issues that prevented many merchants from complying. In that same year, the council released PCI DSS v1.1. Those controls remained in place through October 2008 with the release of PCI DSS v1.2, and then a year later v1.2.1.

Even with these controls in place, credit card companies and merchants still faced an increasing number of data breaches, growing in severity and impact.

PCI DSS standards were updated once again in October 2010 with the release of v2.0. These standards remained in place, with periodic clarifications and increasing numbers of compliant merchants, until November 2013 when PCI DSS v 3.0 came out, with the standards taking effect in January 2014.

Since the release of PCI DSS v 3.0, the standards have had minor updates through versions 3.1, 3.2, and 3.2.1.

Here are some highlights of key PCI DSS updates over the years:

  • Review of online applications
  • Establishment of firewalls for security
  • Wireless network protection
  • Use of anti-virus software
  • Unified vulnerability assessment best practices
  • Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval requirements
  • More emphasis on employee education and training
  • Security as a shared responsibility model
  • More secure authentication methods
  • SSL/TLS protocol guidance
  • Encryption/decryption
  • Card production and physical security
  • Guidance for Token Service Provider Security Requirements

The current version of PCI DSS is v 3.2.1, which was released in May 2018. The new version, 4.0, has an anticipated release date of late 2021.

Who Should Be PCI DSS Compliant?

If your organization accepts, stores, processes, or transmits credit card information, you must be PCI compliant.

In addition to risk reduction, demonstrating you’re PCI DSS compliant builds trust with your customers, key stakeholders, and partners showing that you’re proactively taking industry-approved actions to keep cardholder data safe.

PCI Merchant Compliance Levels

As a PCI merchant, you are classified into one of four compliance levels based on credit or debit card transaction volume during a 12-month period, including transaction volumes for all credit, debit, and prepaid transactions. Here’s a quick look at each level with basic requirements:

Merchant Level 1:

Processes more than 6 million credit or debit card transactions each year. Should conduct an annual internal audit and have a quarterly PCI scan conducted by an approved scanning vendor (ASV).

Merchant Level 2:

Processes 1-6 million transactions each year. Should conduct a self-assessment questionnaire annually. May be subject to a quarterly ASV PCI scan.

Merchant Level 3:

Processes 20,000 to 1 million eCommerce transactions each year. Should conduct an annual self-assessment and may be required to have quarterly ASV PCI scans.

Merchant Level 4:

Processes fewer than 20,000 eCommerce transactions per year and all other merchants—regardless of acceptance channel—processing up to 1 million transactions per year. Should conduct an annual self-assessment questionnaire and may need a quarterly ASV PCI scan.

Your Journey to PCI Compliance

It’s interesting to note that while PCI SSC sets these security standards, each credit card company (brand) has its own requirements to determine compliance, validation, and enforcement.

Qualified security assessors (QSAs) assess PCI compliance and approved scanning vendors (ASVs) are responsible for validating PCI DSS vulnerability scans.

Although each credit card brand has expectations regarding its security requirements, if you’re on the path to ensure PCI DSS accountability, here are a few things you can do for compliance success:

  1. Understand which assets (devices, systems, components, and networks) are in PCI DSS scope
  2. Complete an assessment including testing of all the steps for each PCI DSS requirement
  3. Document all of your controls and complete required reports
  4. While you meet requirements, complete an Attestation of Compliance (AOC)
  5. Submit an SAQ, AOC, ROC, ASV scan report, and other documents to the payment brand requestor
  6. If you discover security gaps, take and document actions for remediation and then complete an updated report

Preparing for v4.0

While there are still a lot of unknowns about PCI DSS v 4.0, now is not the time to sit back and wait to see what happens. Ensuring you’re compliant with v3.2.1 is a great foundation for what’s coming in the future. If you haven’t done so already, now is the time to dig into all of the requirements, assess where you fall short, and make plans to remediate issues.

There are a lot of moving parts your organization must implement, manage, document, and assess as part of your PCI compliance journey. If you’re managing your cybersecurity controls using spreadsheets, word processing documents, or outdated governance, risk, and compliance (GRC) tools, you may have a difficult time getting visibility into all of your controls and identifying where you may have gaps that need your attention.

On top of that, if your organization uses multiple cybersecurity compliance frameworks and you have a growing list of controls, you may be duplicating work and processes from one framework to another.

But managing your PCI DSS framework, and crosswalking it with all of the other ones your organization uses (today and as you evolve in the future), doesn’t have to be cumbersome. With Apptega, you can organize all of your controls and frameworks in a single platform so you have instant insight into how each framework—down to the individual control and sub-control level—measures up.

Best yet, you can use Apptega to quickly and instantly design your entire PCI DSS program with just a few clicks. You can manage everything PCI-related including real-time compliance scoring, task management, budgeting, collaboration, and more.

And, if you need help finding and assessing other PCI DSS resources such as security consultants or other solution vendors, you can access those right in the PCI Marketplace in CyberXchange, Apptega’s marketplace that instant maps hardware, software, and other services to your PCI DSS controls and sub-controls.

Here are some of the PCI resources you’ll find there:

  • Audit help
  • Firewall configurations
  • Network diagram tools
  • Cardholder data flows diagrams
  • Roles and responsibilities
  • Cybersecurity policy and plan templates
  • And more!

Have questions about PCI compliance or would you like to know more about how Apptega can help you on your journey? Check out the following resources: