Preparing for PCI DSS v4.0

We already have clients asking what to expect when the Payment Card Industry Data Security Standard (PCI DSS) v4.0 is released. That’s no surprise, since this is the first major revision to the standard since v3.0 was released in 2013.  When proposing the new version of this standard, the PCI Security Standards Council (SSC) established several goals:

1. Keep the standard current and ensure it meets the needs of the payment industry
2. Add flexibility to support different approaches to security
3. Focus on security as a continuous process
4. Enhance the methods and procedures for validating compliance

Where We Currently Stand

The SSC provided QSA companies with a draft version of the standard during the 2^nd half of 2020 with a Request for Comment (RFC) against this version. This RFC phase was closed in the last few weeks with the SSC currently reviewing the feedback received from QSA companies and other stakeholders. The SSC is currently reviewing this feedback and compiling a list of the final actions that will be taken based on this feedback.

We expect to receive the updated version of the standard, incorporating this feedback, within Q1 of 2021. Supporting material and the full version of the standard will then be published as the official version of the standard sometime in Q4 of 2021.

Update: PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. The final versions of the standard are scheduled for formal release in March 2022.

What to Expect Going Forward

Once the v4.0 supporting documents, training, and program updates are released, organizations will have an extended transition period of 18-months to update from PCI DSS v3.2.1 to PCI DSS v4.0. This extended period will allow both the QSA companies and the assessed organizations time to become familiar with the changes in v4.0. This will require an overhaul that includes updating reporting templates and forms, and planning the implementation changes to meet updated requirements.

PCI DSS v4.0 requirements become effective in the first quarter of 2024, under the current timetable.

In addition to an 18-month period when both versions will be be active, organizations will be given additional time to complete their implementations for any new “future-dated” requirements in v4.0. Unfortunately, we won’t know how many new requirements there will be until the standard is finalized next year. However, based on the current draft, future-dated requirements are expected to extend between 2.5 to 3 years after v4.0 is published.

Conclusion

The overall take-aways are that the PCI Council is providing organizations 2.5 years before any of the new requirements will have to be implemented. Based on the current timetable, v4.0 won’t be released until late 2021. With that, organizations concerned that these changes might impact their compliance should consider a PCI DSS v4.0 gap assessment of their current control framework.

You can work with CompliancePoint using our proprietary approach to evaluate any applicable v4.0 requirements to determine the impact on your organization and develop a long-term strategic plan to ensure compliance with this, and other standards, prior to a formal assessment.

Please reach out to us at connect@compliancepoint.com if you have any questions about this topic or how CompliancePoint can assist your organization with achieving PCI DSS Certification or managing your PCI compliance.