PCI DSS version 4.0 is coming soon: What you need to know now

Jan 21, 2022

Within the year, the Payment Card Industry Security Standards Council (PCI SSC) is expected to release version 4.0 of the PCI Data Security Standard (DSS), setting a requirement for organizations’ full compliance around 2022. This new version  of the DSS marks not only a significant change from the current version (3.2.1) in use by entities today, but introduces a fundamental shift in a key premise of the prescribed standards that will have permanent and far-reaching impacts on the way organizations implement, manage and report on compliance.

As with any major update in a compliance framework, organizations should take a proactive approach during the window of time between its release and its effective date. Now is the time to become familiar with the anticipated changes to better prepare your organization for a smooth transition to version 4.0.

Purpose of the changes

Version 4.0 of the standard incorporates wide-ranging feedback from stakeholders on industry trends, evolving threat landscapes and changes to payment processes at many organizations. The PCI Council has summarized its goals for version 4.0 as follows:

  • Ensure the standard continues to meet the security needs of the payments industry
  • Add flexibility and support additional methodologies to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures1

The continued evolution of existing payment technologies and the resulting shift in the underlying security landscape have been one of the major drivers in the update of the standard. Some of the more common drivers for such change include emerging technology deployment and storage solutions such as cloud services, software as a service (SaaS) and co-located data centers.

Version 4.0 is expected to include updated guidance that provides organizations with the ability to meet the intent of the controls in the framework, without having to adhere solely and unilaterally to the prescribed controls defined in the previous and existing version (3.2.1) of the DSS. In the new iteration, organizations will be able to consider controls in place, as long as they document and demonstrate that their controls meet or exceed the intent of the PCI DSS. This is a pivotal shift in PCI compliance methodology that gives organizations both greater freedom and greater responsibility to demonstrate how they are meeting PCI requirements.

Anticipated changes

Flexibility is, in fact, the key theme with the anticipated changes. Based on guidance the PCI Council has released so far, version 4.0 will support a more pronounced business as usual (BAU) approach to the 12 core requirements by adding flexibility in how those requirements are determined, documented and met by organizations. By adding what the PCI Council calls intent statements to each requirement, the approach taken in version 4.0 is outcomes-focused. The intent statement is meant to clarify the purpose of each requirement, and it provides flexibility in determining whether that intent is met. As such, the emphasis is on organizations meeting the intent of each PCI DSS requirement, rather than implementing a control solely in a prescribed way.

With this increased flexibility comes a new means of implementing—and assessing against—the standard. Organizations will be able to retain the option of their existing defined implementation: following current requirements and testing procedures. However, there is now a second option for a customized implementation, which leverages the outcomes-focused, flexible approach. For example, if an organization has a documented, risk-based reason for not implementing a password standard as prescribed, the organization can still be in compliance if it can demonstrate it is meeting the intent of the requirement. Merchants and services providers will continue to be required to document and implement controls, which includes generation and retention of evidence supporting the maintenance and testing of these controls. The qualified security assessor (QSA) then will review and document the details of the testing procedure and results. This collaborative validation for the customized approach is a new and exciting aspect of 4.0.

Finally, though the 12 core PCI requirements will remain the same, the intent and content of some sub-requirements are likely to change to reflect security best practices, keep pace with evolving threat landscapes and reflect changes in technology. Until the final revisions are released, organizations should continue to focus on the 12 core requirements of the PCI DSS. Securing the payment channel and data has always been a primary goal of the PCI DSS, and version 4.0 will be no different.

Next steps

As with most deadlines, this one will be upon us quickly. It is important for your organization to regularly assess your compliance efforts and review upcoming changes to the DSS once they are released publicly.

However, even before the final updates for version 4.0 are released, there are still ways your organization can prepare. As with any compliance initiative, limiting scope (e.g., segmenting, not storing cardholder data) can reduce the burden of compliance. In addition, BAU controls can be burdensome if you do not have the right organizational alignment. A new version of the DSS represents the ideal time to revise payment processes to limit scope, realign your business roles and responsibilities, and reduce risk.   

Another important step is to ensure you fully understand and document your payment processes. Lack of insight in this area has long been a hindrance to compliance for many organizations, as it is impossible to protect the cardholder data environment or justify appropriate intent and an outcomes based control set if you are unsure of its boundaries. Documenting data flows, network diagrams and processing activities serves as the foundation for compliance activities. In this way, preparing for version 4.0 is no different than preparing for any other version of the DSS.

Once version 4.0 is formally released, your organization can begin to benchmark against these new standards. If 2022 remains the expected date of compliance, 2021 will be the year to conduct readiness assessments and remediate gaps. A readiness assessment can help you identify the processes, technical controls, documentation and other security measures that will need to be adjusted to comply with version 4.0. That leaves 2020 as the ideal time to conduct working sessions on your organization’s PCI compliance philosophy and to draft intent and outcomes statements. Even if we do not have the final draft of version 4.0 until later this year, we do know that organizations will be required to document their risk-based decisions regarding payment processes, and that is something organizations should begin doing now.  

Version 4.0 represents a significant shift in the way organizations can demonstrate compliance to the PCI DSS. Engaging RSM as your trusted advisor throughout this process can ease the transition and help your organization navigate these changes successfully while maximizing the value of your security compliance efforts in this and other areas.

1 See PCI DSS: Looking Ahead to Version 4.0 for more information.

RSM contributors

  • Alan Gutierrez-Arana
  • Travis Wendling