How often have you heard the question, “Are we there yet?” while on a road trip with your families? Well, we aren’t there yet, but we are so much closer! The official launch of PCI DSS v4.0 is planned for March 2022. Because it’s getting so close, we want to share an update on what has been happening, what we know, and share some insights into what we are doing to get ready.

Release of PCI DSS v4.0

On January 20, 2022, the PCI Security Standards Council released the stakeholder draft of the PCI v4.0 Standard and a Summary of Changes to Qualified Security Assessor Companies (QSACs), Approved Scanning Vendors (ASVs), and Participating Organizations (POs) for a sneak peek. Per the Development Timeline shown in Figure 1 below, we are on track and are still expecting the official release of the PCI DSS v4.0 in March 2022.

Figure 1. PCI DSS v4.0 Development Timeline

An update on what we know so far…

On January 26, 2021, Online published a blog titled “What is Happening With the new PCI 4.0 Standard?” Based on our review at that time, we stated that we expected some significant changes to be introduced with the 4.0 Standard, along with some iterative improvements. We stand by these earlier statements. The changes do range from minor tweaks (think oil changes) to significant overhauls (think water pump, timing belt, engine block).

There will be some future-dated requirements for some of the changes based on the timeline the council has publicly released, shown in Figure 2 below.

Figure 2. https://blog.pcisecuritystandards.org/updated-pci-dss-v4.0-timeline

What has been happening at Online

Team Online’s QSAs have been pouring over the PCI 4.0 Standard in excruciating detail and providing feedback to the PCI SSC since September 2020. We have discussed the changes internally, and we have developed a roadmap with some side road trips for our clients in some of the areas where we believe there will be a rockier, more winding path. Online is updating our toolbox and methodologies so that we are prepared when the Council officially releases v4.0. At the official launch, Online will have a resource center available to you containing webinars, blogs, OnlineTV episodes, and more. To stay in touch with what is happening, you can subscribe to our Risk, Security and Privacy blogs here where we will be publishing our updates.

Next pit stop?

There are several things you can do while you are waiting for March to get here. A great place to start includes:

• Download our PCI 4.0 Road Trip Infographic that maps out the timeline and provides some guidance on how you can start to get ready too!

• Register for an upcoming event that Online is hosting for our clients within 1 week of the Council publishing the Standard in March 2022. In this session, you can expect the following:
  
  

• The session will begin with several of our senior Online team members who have been pouring over the v4.0 Standard and providing feedback to the PCI Council since September 2020 walking through some of the more major changes in the Standard.
  
  
• After the major changes are discussed, there will be a one-hour period reserved for our guests to ask our panel of experts questions about the changes.
  
  
  

In the meantime, if you have any questions don't hesitate to reach out; we'd love to hear from you.