PCI DSS v4.0 – What do we know and what can we say with certainty?
Global Practice Lead - PCI DSS - CSIR Global Cyber, Risk & Advisory Leaders
Article published 14 January 2021
With more information on the PCI DSS v4.0 update gradually coming to light, it appears that the long-awaited update is getting further away not closer. Version 3.2.1 will be with us until Q2 2023, giving a two-year transition period from date of publication, with new requirements enforceable in Q1 2024. This means that organizations will have a generous timeframe during which transition can occur. So down to the question:
What do we know, and what can we say for certain about PCI DSS Version 4?
PCI DSS Transition Timeline
What we can say: it’s different
The updated version of PCI DSS provides flexibility in how an organization can achieve compliance to the standard. It focuses on outcomes and intent, not prescriptive ways of meeting the requirement. The auditor will however continue to validate how the control is met in an equally rigorous manner as previously via:
Interviews, configuration checks and system inspection, process review and evidence collection and review
At a high level, PCI DSS compliance will not be made simpler under PCI DSS v4.0, however more flexibility will be introduced as to how you achieve and maintain compliance
It means Auditees have more flexibility in how they address a requirement which is good news, but also means that the controls become more subjective.
What does this mean?
Auditees may have more challenging conversations with their Auditor.
This could lead to a protracted audit process
Qualified Security Assessor (QSA) perspective:
One of the most valuable elements of PCI DSS is its descriptive view of requirements. Allowing more flexibility may introduce more subjectivity.
What does this mean?
Auditors will have to be well prepared to defend the rigorous level of assurance expected by the PCI DSS
Having a wide and varied knowledge of the previous and current threat landscape with respect to your client’s industry and attacks will be paramount in defending their security position
Ensuring the intent and outcomes of the PCI DSS controls will remain key to gaining assurance over the security posture
It is certainly worth nothing that apart from any new controls, maintaining your existing v3.2.1 compliance control set from v3.2.1 will prove largely sufficient to meet the corresponding PCI DSS v4.0 controls.
What we can say: there will be new controls
We can’t say for certain what new controls specifically will be introduced as they are subject to ongoing Request for Comments (RFC) and non-disclosure agreements (NDAs). However, any new controls will not be enforceable until Q1 2024, so organizations will have time to prepare to migrate. Based on some of the suggested controls, early engagement with your QSA is advisable to ensure you can meet the new control set, as some may take significant effort to implement and ensure process maintenance.
The PCI council have published the following with respect to questions on what to expect:
“Examples of some of the proposed new requirements include requirements for organizations to verify their PCI DSS scope and some additional requirements for service providers. There are also proposed revisions to requirements on passwords to accommodate different authentication options, and an update to the risk assessment requirement to provide greater clarity and guidance for organizations on the risk management process”
If you have any specific queries regarding PCI DSS in a specific environment, or industry, contact our PCI DSS Practice for additional information. Our QSA consultancy and audit capabilities extend globally across a wide variety of verticals and technology stacks.