PCI SSC Publishes PCI Data Security Standard v4.0

The PCI Standards Security Council (PCI SSC) published the latest update to the PCI Data Security Standard (PCI DSS) this week. The gold standard for retailers and financial organizations when it comes to protecting sensitive cardholder data, PCI DSS v4.0 shifts the standard’s focus to outcome-based requirements.

Much has changed since the preceding version of the standard, v3.2.1,was published back in 2018. Fueled by the pandemic, online transactions and the use of point-of-sale (PoS) machines have skyrocketed, technology has evolved, and cloud platforms are used extensively for storing cardholder data. Attackers have also advanced their tactics targeting the payments industry.

Dr Zakir Hussain, President of Cyberspace Council said PCI DSS standard goal is to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information.

“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says Lance Johnson, Executive Director of PCI SSC. “Our stakeholders provided substantial, insightful, and diverse input that helped the Council effectively advance the development of this version of the PCI Data Security Standard.”

the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures. Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website.

Examples of the changes in PCI DSS v4.0 include:

  • Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
  • Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
  • Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
  • Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.

“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” says Emma Sutcliffe, SVP, Standards Officer of PCI SSC. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”

The Council will provide additional information throughout the year to help the community understand the changes made to the standard. This includes the PCI DSS Symposium, an online education event available 21 June 2022 for PCI SSC community members. Training for assessors will be available in June 2022.

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate, and prevent cyberattacks and breaches.