Feedback from the global payments industry drove changes to the standard. Over the course of three years, more than 200 organizations provided over 6,000 items of feedback to ensure the standard continues to meet the complex, ever-changing landscape of payment security.
“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says Lance Johnson, Executive Director of PCI SSC. “Our stakeholders provided substantial, insightful, and diverse input that helped the Council effectively advance the development of this version of the PCI Data Security Standard.”
Updates to the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures. Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website.
Examples of the changes in PCI DSS v4.0 include:
Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
“With India being a highly targeted country by cyber hackers, securing payment data with data security standards in an evolving payment ecosystem is critical to build robust payments infrastructure keeping security at the centre of everything,” says Nitin Bhatnagar, Associate Regional Director – India, PCI Security Standards Council. “PCI DSS v4.0 is a unique example of how the Council is evolving security standards and validation programs to support a range of environments, technologies, and methodologies for achieving security. PCI DSS has always been technology-neutral and requirements are intended to apply to all types of environments.”
In addition to the updated standard, supporting documents published in the PCI SSC Document Library include the Summary of Changes from PCI DSS v3.2.1 to v4.0, the v4.0 Report on Compliance (ROC) Template, ROC Attestations of Compliance (AOC), and ROC Frequently Asked Questions. Self-Assessment Questionnaires (SAQs) will be published in the coming weeks.
To support global adoption of PCI DSS, the standard and Summary of Changes will be translated into several languages. These translations will be published over the next few months, between March and June 2022.
The Council will provide additional information throughout the year to help the community understand the changes made to the standard. This includes the PCI DSS Symposium, an online education event available 21 June 2022 for PCI SSC community members. Training for assessors will be available in June. For a schedule of assessor training sessions consult the PCI SSC training resource page.
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate, and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.