Jul 7th, 2021

What Awaits Us with the PCI DSS 4.0 Timeline Release?

#PCIDSSV4.0

#PCIDSS4.0Timeline

#PCIDSS4.0Goals

This blog post is an overview of some of the most controversial changes proposed in the upcoming PCI standard release. It also aims to ensure that organizations have prior knowledge of changes in v4.0 control requirements.

What is the PCI DSS?

PCI DSS is a data security standard that consists of requirements designed by organizations to help protect cardholder data, minimize, and respond to fraud and cyberattacks.

All organizations that accept or process credit card payments are required to conduct an annual PCI DSS audit of their security controls and processes covering data security areas.

The current version of PCI DSS, 3.2.1, has been available since May 2018.

PCI DSS is a data security standard that consists of requirements designed by organizations to help protect cardholder data, minimize, and respond to fraud and cyberattacks.

When will the PCI DSS v4.0 be released?

According to the blog post published by the PCI Security Standards Council (PCI SSC), PCI DSS v4.0 is targeted to be published in Q1 2022.

Below is an overview of the updated timeline for the PCI DSS v4.0 development effort, including the additional RFC for validation documents, the preview period for PCI SSC stakeholders, and the planned public release of the PCI DSS v4.0 standard, validation documents, and other supporting materials.

Image shows Overview of the updated timeline for the PCI DSS v4.0 development.

An overview of the planned transition timeline and potential timing for future-dated requirements is shown below:

Image shows Overview of the planned transition timeline of PCI DSS V4.0 and potential timing for future-dated requirement.

A transition phase from PCI DSS v3.2.1 to PCI DSS v4.0 is still included in the modified time frame for organizations. Once all PCI DSS v4.0 materials—that is, the standard, supporting documentation (including SAQs, ROCs, and AOCs), training, and program updates—are issued, PCI DSS v3.2.1 will stay operational for 18 months to help with the transition.

The Difference Between PCI 4.0 and 3.2.1:

Major changes are not expected with the release of PCI DSS 4.0 for the 12 core PCI DSS requirements in version 3.2. However, the new version of the standard is likely to bring several important updates and additional requirements. Feedback to inform changes to the PCI DSS was sought by the PCI Council through its Request for Comments (RFC) process which is now complete. The council has stated that this process attracted the highest level of feedback it has ever received concerning any standard or subject.

Key Goals for PCI DSS v4.0:

According to a blog post published by PCI SSC, the key goals for the PCI DSS 4.0 release include:

  • Continue to meet the security needs of the payments industry for the protection of cardholder data such as primary account number, card number, and other payment data.
  • Add flexibility and support of additional methodologies to achieve security.
  • Promote security as a continuous process.
  • Enhance validation methods and procedures.

Areas Expected to be updated in PCI DSS 4.0 include:

Based on early drafts, the following areas may be subject to change:

  • Requirement 1: Install and maintain firewall configurations
  • Requirement 2: Change all vendor-supplied defaults
  • Requirement 3: Protect cardholder data in storage

    Authentication processes may change to reflect the NIST password and multi-factor authentication guidance. These authentication processes are also expected to be more flexible when providing authentication. Payment Brands, EMVco, and PCI SSC working together.

  • Requirement 4: Encrypt cardholder data for transmission

    Requirements for encrypting cardholder data are likely to increase on trusted networks. Keeping malicious code out of the CDE and preventing stealing cardholder data is becoming more and more important. v4.0 is expected to provide guidance to do this.

  • Requirement 5: Keep anti-malware software up to date
  • Requirement 6: Ensure security across all systems and applications
  • Requirement 7: Limit access to data based on business need
  • Requirement 8: Require identity authentication for access
  • Requirement 9: Limit physical access to protected data
  • Requirement 10: Monitor all access to cardholder data

    Monitoring the cardholder data environment requirement may be updated on the use of network and endpoint security tools to keep up with new technologies.

  • Requirement 11: Test and analyze security systems

    Critical controls may need to be assessed more frequently.

  • Requirement 12: Maintain security policy addressing all personnel

Flexible and Customized Approach to PCI Compliance

As we were accustomed to in previous versions of the standard, PCI DSS provided specific, detailed requirements that told exactly what to do. PCI explained the "what" and "how" of securing the CDE. If a requirement was not met as specified, a difficult and burdensome path would be inevitable.

It looks like the major change is that PCI-DSS 4.0 will allow you to design your security controls with Qualified Security Auditor (QSA) approval.

This new flexibility can save your organization in many ways by enabling you to use different technologies to achieve compliance.

Increasingly Stringent Security Requirements

PCI DSS 4.0 is expected to introduce new requirements for the security of your cardholder data environment (CDE). Simply, it should be using network segmentation to separate your CDE from your other system components. While it is on spot, another point that should not be missed out is that the PCI penetration test should include segmentation tests.

A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directly connects to or supports this network.

Segmentation Test is another difference between traditional assessment and PCI Pentest. This activity attempts to verify the isolation of the CDE and requires the penetration tester to evaluate potential entry points into the CDE.

Support with PCI Compliance

Whether your organization is working towards current compliance standards or preparing for upcoming ones, PurpleBox can help you meet them. Our services specializing in PCI DSS compliance include:

  • PCI DSS Consultancy
  • PCI DSS Penetration Testing

Conclusion

In this blog post, we had an overview of the most controversial changes proposed in the upcoming PCI standard release. The PCI SSC highly recommends organizations that have access to the first drafts of the new version wait for the final version to be released before implementing any changes.

In our next blog posts, we will be covering PCI DSS Penetration Testing.

If you liked this post, share it now!

Our Recent Posts

Introduction to Burp Suite’s Latest Extension DOM-Invader

Learn about the Burp Suite 2021.7 release and the DOM Invader extension features. Explore the n...

Read More

The Ultimate Guide to SQL Injection [AppSec Blog Series Part 4]

Learn about SQL Injection and explore the types of SQLi. Explore real-life SQL Injection attack...

Read More

Multi-Tenant Architectures with AWS Cognito

Learn how to build multi-tenant applications usig AWS Cognito. Discover authentication and aut...

Read More