What is Happening With the new PCI 4.0 Standard?

What we know so far

Based on our team’s review, we expect that there will be some significant changes introduced with the 4.0 Standard, along with some iterative improvements. We can’t (and won’t) spoil the surprise, but can reiterate what the Council has publicly shared and verify that the new Standard is intentionally designed to be more flexible, outcome-based, and more focused on a risk-based approach to securing cardholder systems and data. I have included a couple of links to some of the Council’s statements at the bottom of the post; they provide some valuable insights around what you should expect.

Another way to describe it might be to compare the 4.0 version of the DSS to the process of buying a new car – the overall layout is similar and will feel familiar, but there are going to be some new features and controls that aren’t quite where you remembered them: get used to turning on the wipers when you meant to hit your turn signal for a little while. From what we’ve seen so far, it’s a solid upgrade to the previous model, but the reporting format and testing procedures are going to take some getting used to when it becomes our daily driver – buckle up!

The changes range from minor tweaks and clarifications to significant overhauls in reporting (e.g. say goodbye to compensating controls and hello to the outcome-based “Customized Approach”). As expected, there are also some “Future Dated Requirements” proposed that will mean significant changes; the Council has wisely provided ample time to implement these new requirements.

What we are doing while we wait

Our PCI QSA “Expert Collective” has been busy behind the scenes reviewing, analyzing, and parsing the proposed controls in excruciating detail. We are updating our toolbox and methodologies to get us ready to help out as soon as the Standard officially drops. Our experience with previous versions of the Card Brand operating rules and the evolution of the Standard gives us unique insight into the probable scope, scale, and level of effort that the changes will require. And we want to be ready so we can help you navigate these changes on Day 1 - whether you simply need help clarifying a few questions or would like to work with us on completing PCI 4.0 Readiness Assessment. 

A great place to start is to download our PCI 4.0 Road Trip Infographic that maps out the timeline and provides some guidance on how you can start to get ready too!

We will be providing regular updates before the Standard releases, and will have resources available for you to use right away (e.g., webinars, blogs, OnlineTV episodes). To stay in touch with what is happening, you can subscribe to our Risk, Security and Privacy blogs here where we will be publishing our updates.

And as promised, here is some great reading and official communiques from the SSC to get you ready:

• https://www.pcisecuritystandards.org/about_us/press_releases/pr_10242019
• https://blog.pcisecuritystandards.org/how-the-council-is-evolving-to-secure-the-future-of-payments
• https://blog.pcisecuritystandards.org/5-questions-about-pci-dss-v4-0

In the meantime, if you have any questions don't hesitate to reach out; I'd love to hear from you.