Digital Transactions Authoritative, insightful and timely information for payments professionals
After years of soliciting input from more than 200 organizations in the payments industry, the PCI Security Standards Council Thursday published version 4.0 of the PCI Data Security Standard (PCI DSS). The new standard, which provides a baseline of technical and operational requirements designed to protect account data, replaces version 3.2.1of the standard and is intended to address emerging security threats and technologies and enable innovative methods to combat new threats.
To ensure a smooth transition to the new standard, version v3.2.1 of the PCI DSS standard will remain active until March 31, 2024.
In addition to meeting the evolving data-security needs of the payment industry, PCI DSS 4.0 also focuses on promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures, according to the Council.
Provisions within the new standard include updated firewall terminology in network-security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls. Other provisions added to the new standard address increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives, expansion of Requirement 8 to implement multi-factor authentication for all access into the cardholder data environment, and targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” Emma Sutcliffe, senior vice president and standards officer for PCI SSC, says in a prepared statement.
In addition to the updated standard, supporting documents published in the PCI SSC Document Library include the Summary of Changes from PCI DSS v3.2.1 to v4.0, the v4.0 Report on Compliance (ROC) Template, ROC Attestations of Compliance (AOC), and ROC Frequently Asked Questions. Self-Assessment Questionnaires (SAQs) will be published in the coming weeks.
The PCI Security Council will also translate the new standard and the summary of changes into several languages through June. Additional information will be provided by the PCI Security Council during the year to help organizations within the payments industry understand changes made to the new standard.
“The last two years have proven to be an extreme test for organizations as they quickly pivoted to a digital-first environment and faced new operational realities, including an acceleration of cyber threats,” Rich Agostino, senior vice president and chief information security officer for Target Corp., says in a prepared statement.
