As many are aware, the PCI Council (the organization that publishes the PCI Data Security Standard), has been working on the next iteration of the PCI DSS, version 4.0. This version will replace the current version, 3.2.1. As version 3.2 was published in April of 2016, and version 3.2.1 was published in May of 2018, it has been some time since there have been changes in the PCI Standard. And as can be inferred from the version numbers, PCI DSS 4.0 is a major revision.
What are the changes?
There are two major types of changes forthcoming in PCI DSS 4.0:
1. Compliance Approach – As anyone who has gone through a PCI audit is aware, organizations are required to adhere to each PCI requirement as written. This approach will be changing, where organizations will have the option to do either of the following:
a. Prescribed Approach – Organizations adhere to the PCI requirements as written in the 4.0 standard. For all intents and purposes, the prescribed approach is how we’ve adhered to the PCI standard thus far.
b. Objective Approach – Organizations will have the latitude to review the objectives behind the written PCI requirements, and using guidelines from the PCI Council, organizations will be able to craft their own controls that meet the intent of the original PCI requirement. More information will be forthcoming, but this approach will require more documentation than the prescribed approach.
2. PCI Requirements – There will be additional requirements that organizations will need to adhere to. Some new requirements will most likely have minor impacts for organizations, but others will most likely have significant impacts.
Can you tell me what the new requirements are?
Unfortunately, the PCI Council has not opened the details of the new requirements to the general public. However, as QSAs, we’ve been involved in several Request for Comment rounds where we’ve reviewed the proposed changes and provided feedback to the PCI Council. Once the updates have been published to the general public, we will be holding training sessions to review the impacts of the new approach and requirements.
When will I need to comply with PCI 4.0?
Because of the major changes in the standard, the timeline of when the final version will be published has been fluid. As of this writing, the PCI Council is targeting a Q4 2021 completion date to publish PCI DSS 4.0. However, there are two nuances to consider in regards to the timing of PCI DSS 4.0:
1. PCI DSS 3.2.1 will still be an option for organizations to adhere to for 18 months after PCI DSS 4.0 is published. During this period, organizations can adhere to either version 3.2.1 or version 4.0.
2. After this 18 month period, organizations will be required to adhere to PCI DSS 4.0. However, within 4.0, there will be specific requirements that will be future dated such that organizations won’t have to adhere to the specific 4.0 requirements until the future date mentioned in each future dated requirement. The PCI Council is estimating that future dated requirements may not be required until possibly 2.5 to 3 years after PCI DSS 4.0 is published.
When will SAQ’s be updated?
SAQ’s should be updated within a few months of the full PCI DSS being published.
What best can I do to prepare for PCI DSS 4.0?
The best thing you can do to prepare for PCI DSS 4.0 is to adhere to PCI DSS 3.2.1. There should be plenty of time for organizations to adapt to PCI DSS 4.0 once it is updated.