This blog post is an overview of some of the most controversial changes proposed in the upcoming PCI standard release. It also aims to ensure that organizations have prior knowledge of changes in v4.0 control requirements.

What is the PCI DSS?

PCI DSS is a data security standard that consists of requirements designed by organizations to help protect cardholder data, minimize, and respond to fraud and cyberattacks.

All organizations that accept or process credit card payments are required to conduct an annual PCI DSS audit of their security controls and processes covering data security areas.

The current version of PCI DSS, 3.2.1, has been available since May 2018.

When will the PCI DSS v4.0 be released?

According to the blog post published by the PCI Security Standards Council (PCI SSC), PCI DSS v4.0 is targeted to be published in Q1 2022.

Below is an overview of the updated timeline for the PCI DSS v4.0 development effort, including the additional RFC for validation documents, the preview period for PCI SSC stakeholders, and the planned public release of the PCI DSS v4.0 standard, validation documents, and other supporting materials.

PCI DSS v4.0 Development Timeline

An overview of the planned transition timeline and potential timing for future-dated requirements is shown below:

PCI DSS v4.0 Transition Timeline

A transition phase from PCI DSS v3.2.1 to PCI DSS v4.0 is still included in the modified time frame for organizations. Once all PCI DSS v4.0 materials—that is, the standard, supporting documentation (including SAQs, ROCs, and AOCs), training, and program updates—are issued, PCI DSS v3.2.1 will stay operational for 18 months to help with the transition.

This article may interest you: What is Cloud Security?

The Difference Between PCI 4.0 and 3.2.1:

Major changes are not expected with the release of PCI DSS 4.0 for the 12 core PCI DSS requirements in version 3.2. However, the new version of the standard is likely to bring several important updates and additional requirements. Feedback to inform changes to the PCI DSS was sought by the PCI Council through its Request for Comments (RFC) process which is now complete. The council has stated that this process attracted the highest level of feedback it has ever received concerning any standard or subject.

Key Goals for PCI DSS v4.0:

According to a blog post published by PCI SSC, the key goals for the PCI DSS 4.0 release include:

  • Continue to meet the security needs of the payments industry for the protection of cardholder data such as primary account numbers, card numbers, and other payment data.
  • Add flexibility and support of additional methodologies to achieve security.
  • Promote security as a continuous process.
  • Enhance validation methods and procedures.

Areas Expected to be updated in PCI DSS 4.0 include:

Based on early drafts, the following areas may be subject to change:

  • Requirement 1: Install and maintain firewall configurations.
  • Requirement 2: Change all vendor-supplied defaults.
  • Requirement 3: Protect cardholder data in storageAuthentication processes may change to reflect the NIST password and multi-factor authentication guidance. These authentication processes are also expected to be more flexible when providing authentication. Payment Brands, EMVco, and PCI SSC working together.
  • Requirement 4: Encrypt cardholder data for transmissionRequirements for encrypting cardholder data are likely to increase on trusted networks. Keeping malicious code out of the CDE and preventing the stealing of cardholder data is becoming more and more important. v4.0 is expected to provide guidance to do this.
  • Requirement 5: Keep anti-malware software up to date.
  • Requirement 6: Ensure security across all systems and applications.
  • Requirement 7: Limit access to data based on business needs.
  • Requirement 8: Require identity authentication for access.
  • Requirement 9: Limit physical access to protected data.
  • Requirement 10: Monitor all access to cardholder dataMonitoring the cardholder data environment requirement may be updated on the use of network and endpoint security tools to keep up with new technologies.
  • Requirement 11: Test and analyze security systemsCritical controls may need to be assessed more frequently.
  • Requirement 12: Maintain security policy addressing all personnel.

Flexible and Customized Approach to PCI Compliance

As we were accustomed to in previous versions of the standard, PCI DSS provided specific, detailed requirements that told us exactly what to do. PCI explained the “what” and “how” of securing the CDE. If a requirement was not met as specified, a difficult and burdensome path would be inevitable.

It looks like the major change is that PCI-DSS 4.0 will allow you to design your security controls with Qualified Security Auditor (QSA) approval.

This new flexibility can save your organization in many ways by enabling you to use different technologies to achieve compliance.

Increasingly Stringent Security Requirements

PCI DSS 4.0 is expected to introduce new requirements for the security of your cardholder data environment (CDE). Simply, it should be using network segmentation to separate your CDE from your other system components. While it is on the spot, another point that should not be missed out is that the PCI penetration test should include segmentation tests.

Also see: What is Endpoint Security?

What is Cardholder Data Environment (CDE)?

A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directly connects to or supports this network.

Segmentation Test is another difference between traditional assessment and PCI Pentest. This activity attempts to verify the isolation of the CDE and requires the penetration tester to evaluate potential entry points into the CDE.

Support with PCI Compliance

Whether your organization is working towards current compliance standards or preparing for upcoming ones, PurpleBox can help you meet them. Our services specializing in PCI DSS compliance include:

  • PCI DSS Consultancy
  • PCI DSS Penetration Testing


In this blog post, we provided an overview of the most controversial changes proposed in the upcoming PCI standard release. The PCI SSC highly recommends organizations that have access to the first drafts of the new version wait for the final version to be released before implementing any changes.

In our next blog posts, we will delve into the topic of PCI DSS Penetration Testing.

In addition to our blog post, consider checking out our Risk & Compliance services. These services are designed to help organizations stay secure by providing comprehensive risk assessments and compliance audits. Organizations can minimize the impact of potential breaches and protect their sensitive data from unauthorized access by taking a proactive approach to security.