PCI DSS 4.0: Key Developments You Need to Know

Table of Contents

Compliance Questions?

Speak to a Specialist

Key Takeaways

  1. Security as a Continuous Process: The core objective of PCI DSS v4.0 is to shift the standard from an annual compliance check to promoting security as a continuous process. This includes defining clearer roles and responsibilities for ongoing security procedures.

  2. Customized Approach for Flexibility: The new version introduces the Customized Approach, offering organizations greater flexibility to define and implement controls tailored to their environment, provided they achieve the security objective of the requirement. This is validated through rigorous methods, including a Targeted Risk Analysis (TRA).

  3. Future-Proofing Security Controls: The standard includes Evolving Requirements that are currently considered best practices but will become mandatory on March 31, 2025. This approach allows the payment card industry time to adopt new security measures designed to combat modern, ever-changing threats, such as enhanced Multi-Factor Authentication (MFA) and phishing protection.

How PCI DSS v4.0 Impacts Day-to-Day Business Practices

PCI DSS v4.0 is here to help combat new and evolving security threats to the payment industry. It is the next evolution of a global standard that offers a baseline of technical requirements in order to protect sensitive payment data. With over 6,000 items of feedback provided from 200 companies, the new PCI DSS standards offer a holistic upgrade for real world payment security situations.

What are the Goals of PCI DSS v4.0?

  • To evolve to meet the changing needs of the payment industry.
  • To establish that payment security is an ever-evolving process.
  • To allow for flexibility within different methodologies.
  • To enhance validation methods across the payment industry.

Speak to a Compliance Specialist.

Book a free consultation with a specialist to check off your compliance needs. Secure your spot today.
Book a Meeting

What’s New in PCI DSS v4.0?

In order to meet the outlined goals, there are a number of changes being implemented in the latest version of the PCI DSS.

  1. Security practices must evolve to meet ever-changing threats. Adding additional MFA (Multi-Factor Authentication) requirements, updating password guidelines, and adding additional ecommerce and phishing protections will help the payment industry better adapt to new threats.
  2. Ongoing security procedures are crucial to ensure that sensitive payment data is protected. Each requirement will have better defined roles and responsibilities associated with it. New guidance will be added to help companies better understand how to implement and maintain security procedures. New reporting templates will offer more transparency to better highlight areas for improvement.
  3. Allowing flexibility offers service organizations more options to meet objectives and helps promote innovation. For example, organizations will be empowered through the use of targeted risk analyses to better establish frequencies for certain tasks. Group, shared and general accounts will be allowed under the new guidelines in certain situations. New methods for implementing and validating PCI DSS will allow organizations like yours to implement unique methods to ensure compliance with key objectives.
  4. Defining transparent validation and reporting options helps to support granular security objectives. Better aligning expectations between different PCI DSS assessment types such as a Report on Compliance (ROC), a Self-Assessment Questionnaire (SAQ), or an Attestation of Compliance helps to create understandable goals and allows you to better align your compliance initiatives to meet expectations.

These are just some of the changes that will be coming in PCI DSS v4.0. For a comprehensive overview, check out the PCI Security Standards Council’s Official Document Library.

A risk-based annual inspection is utilized on completed engagements, combined with an in-process, “pre-issuance” reviews of partners’ work by our corporate quality control team. You expect the best, so we hold ourselves to the highest standard of reporting, according to industry standards and regulations.

Subscribe to our newsletter.

Stay up to date with the latest from Auditwerx.
Sign Up Today

How Quickly Do I Need to Update to PCI DSS v4.0?

Not ready to fully switch to PCI DSS 4.0? Don’t sweat it. Version 3.2.1 will remain operational for 2 more years, with a transition period between March 2022 and March 2024. This will allow organizations to familiarize themselves with the new guidelines, update templates and forms, and implement updates to ensure compliance with the new framework.

Qualified assessors will be able to complete assessments under the PCI DSS v4.0 framework after completing required trainings.

Key Dates

  • PCI DSS v3.2.1 will remain active until March 31, 2024 to allow organizations time to familiarize themselves with the new version requirements. Entities can choose to voluntarily validate against PCI DSS v4.0 until that date.
  • All PCI DSS assessments completed after March 31, 2024 must be validated against v4.0.
PCI DSS v4.0 Implementation Timeline

[Image Source: PCI Security Standards Council]

Auditwerx is Here to Help with PCI Compliance

If you’re ready to work with a true PCI compliance partner, you’re in the right place. As a certified QSAC with over 10 years of experience, our dedicated team is best positioned to help you through changes to the PCI DSS and ensure your controls remain in compliance with the new guidelines. Contact a PCI specialist today.

Additional Resources

PCI DSS v4.0 Resource Hub (pcisecuritystandards.org)

FAQs

The four main goals of the revision are:

  1. Evolve to meet new threats facing the payment industry.

  2. Establish payment security as an ongoing process rather than a once-a-year event.

  3. Increase flexibility for organizations to implement security methodologies.

  4. Enhance the methods for validation and reporting across the payment industry.

Version 3.2.1 remains active until March 31, 2024. After this date, all compliance assessments and validation must be performed against the PCI DSS v4.0 framework. Organizations can choose to validate against v4.0 voluntarily before this date.

The Customized Approach allows organizations to use non-traditional or unique methods to meet a specific security objective, provided they can prove the control is effective and sufficiently mitigates the risk. This allows for innovation beyond prescriptive requirements, but it requires thorough documentation, including a Targeted Risk Analysis (TRA), to support the effectiveness of the control.

Evolving Requirements are security controls that are introduced as best practices in the standard but have a delayed implementation deadline (e.g., March 31, 2025). They are included to allow the industry two years to fully implement critical security measures, such as enhanced authentication and phishing protections, ensuring the standard remains relevant against new and evolving threats.

Get a Quote
Lead Gen TBD

About the Author

Picture of Auditwerx Team
Auditwerx Team
Tampa-based Auditwerx has provided over 3,500 security compliance reports to clients nationally and internationally since 2009, leveraging the specialized resources and experts of a top accounting firm for high-quality, personalized service. As a division of Carr, Riggs & Ingram Capital, LLC, Auditwerx offers clients the skills of a large firm—including CISSPs and CISAs—combined with the accessibility of a niche, boutique firm, dedicated to building long-term, transparent partnerships.

Related Content

Gain Deeper Insights