PCI DSS v4.0 - what's new and what to expect?

As Advantio is participating at Payment Card Industry Security Standards Council (PCI SSC) Europe Community Meeting 2019 in Dublin we’d like to share some insights on one of the most important and anticipated topics - PCI DSS v4.0.

PCI DSS v3.0 was published six years ago in 2013 with three minor revisions since then. Obviously, the payment industry is waiting for a major revision and it’s definitely coming. So, what can we expect from v4.0? The first draft for RFC (request for comment) is coming out for Participating Organizations and Assessors in the period October – December 2019, but we can share some thoughts about what to expect already.

Let’s start by talking about the defined goals and expectations of this new version:

• Ensure the standard continues to meet the security needs of the payments industry.
• Promote security as a continuous process.
• Enhance validation methods and procedures.
• And last but not least and perhaps most importantly to: add flexibility and support of additional methodologies to achieve security.

Based on the above four points, and particularly the goal to provide additional support for organizations achieving security in different ways, we believe that the most important new element is the so-called "Customized" or “intent-based” approach which will be added as an option for PCI DSS compliance validation. That, of course, will not eliminate the possibility to use the approach we are familiar with and is in use today which will be referred to as the “Defined” type. In fact, organizations will be allowed to use one, the other or a combination of both approaches within the same assessment.

The Customized approach will focus on the intent of each PCI DSS requirement describing the “what” and not the “how” and will allow organizations to determine their own controls and demonstrate how they meet the common security objectives of a specific PCI DSS Requirement. That means there will be no defined testing procedures and the QSA Professional conducting the assessment will have to develop their own based on information provided by the assessed entity. Being able to use either the Defined or Customized approach for any PCI DSS requirement within the same assessment will provide organisations with the flexibility to adopt the Customized approach gradually as they strengthen their information security posture.

The Customized approach will better suit risk-mature organizations with robust risk management approach, but will also require experienced QSA companies to be able to derive customized testing procedures and properly document details of these testing procedures and results of testing. One of the most important points of the Customized approach is that there will no longer be a need for Compensating Controls as organizations won’t require justification of business or technical constraints to define their own controls.

PCI DSS v4.0 will also have updated intent statements and expanded guidance for each PCI DSS requirement. You should expect quite a few new requirements as well, but they will be commented upon during at least two RFC phases, so most likely not all of them will end up in the final version of 4.0. We do expect to see the following new requirements in the draft version - encrypt card data during transmission not only via public/untrusted networks, enhanced password requirements if passwords are used as a single factor and more flexibility if passwords are part of multi-factor authentication. We can also see a requirement to use multi-factor authentication for any access to cardholder data. The risk assessment process is expected to be much more expanded and social engineering awareness concepts introduced. These are based on feedback provided to the PCI SSC from different industry players within the last few years. We also expect a general re-tuning of PCI DSS requirements to suit evolving environments such as the Cloud or technologies such serverless computing, which have gained popularity since 2013 when the last major PCI DSS version 3.0 was published. That includes Appendix A1 to be more suited for Cloud Hosting Service Providers. Self-Assessment Questionnaires will also benefit from the changes as they continue to be more and more meaningful for merchants.

As for the dates, we don’t expect the final version of the standard to be published earlier than the end of 2020, and it can easily be 2021 depending on the amount of feedback the PCI SSC receives during the RFC phases, which we expect to be a lot.

To summarize we welcome such a move by the PCI SSC very much, especially the introduction of a new approach to validation, which most certainly will not be easy to adopt quickly, but it will address the challenge of flexibility previously somewhat covered by compensating controls. If you would like to learn more or share your thoughts on PCI DSS v4.0, get in touch with our experts.