The wait is finally over and PCI DSS v4.0 is released today, 31st March 2022. Whatever the size of your organisation, volume of payments or size of in-scope network, there will be an impact to you of some kind, but for today it's business as usual.
In this post, we discuss six areas in PCI DSS v4.0, which we think you should be aware of today, with much more detail to come.
For now, we will take it easy and focus on the key themes and changes:
1 - The PCI DSS v4.0 timeline for transition is generous
Each time a major version is released the Payment Card Industry Security Standards Council (PCI SSC) also includes a timeline for its introduction and the retiring of the previous version. As the development of PCI DSS v4.0 has introduced significant changes, the transition timeline is generous. This will see PCI DSS v3.2.1 around until the beginning of 2024, but this doesn't mean you should wait until this time.
So, what next?
If you’re a merchant you should engage with your acquirer, as they may have some thoughts and guidance on when they would like you to transition.
Service providers need to consider their operations and the contractual benefits provided to customers. If customers transition to PCI DSS v4.0 first and you have contracted a new requirement not covered by your own PCI DSS v3.2.1 assessment, this will create some challenges for you to consider around how that can be validated by your customer’s Qualified Security Assessor (QSA).
There is also work for the QSA Companies because each QSA must receive training on how to assess v4.0 - we are all in this together.
2 – The PCI standard has grown in size
You will notice the increased size of the standard, by page count if nothing else! The PCI SSC is always looking to provide as much detail as they can, and this has often come outside of the standard itself in the form of supplementary information guides.
In PCI DSS v4.0 some of that information has been deemed important enough to be included within the standard; this approach gives greater clarity to the entire community. There's also a standard approach to the guidance now that gives more context - all for the greater good.
The other main section discusses the new implementation and validation routes. This provides entities with a mechanism to be compliant and leverage other novel approaches that better match their operations. For others, they will continue to validate in the traditional way. There will be more information around Customised Validation as it is significant, but for now, read through each section and start to compile your thoughts and questions ready for your QSA.
3 - The number of total requirements has gone up
The raw count of requirements doesn't show a big increase, in fact, the count is actually slightly fewer (including future dated requirements), but nothing has been taken out.
The PCI SSC has in some instances 'flattened' some multi-part requirements into a single requirement. For example, acceptable use in PCI DSS v3.2.1 consists of four requirements, but only one requirement in PCI DSS v4.0. Development requirements have also been flattened to a lower quantity, yet they include a lot more considerations. So don’t be fooled by the numbers, there is more to do to comply with PCI DSS v4.0.
It is essential to read the standard carefully and begin to identify those requirements that will be challenging to you and use the Summary of Changes document to help too. There is quite some time to prepare for them though as the timeline for the retirement of PCI DSS v3.2.1 has been created to allow everybody to transition in a controlled manner.
4 - Future-dated requirements are back
With so much being added to the standard, the PCI SSC is introducing a number through Future Dated Requirements, and their go-live date is not for quite some time; Q1 2025.
By all means, read them, but ensure that your transition plan doesn't put too much burden on you or the teams implementing the changes, especially where there could be costs associated with the new/changing requirement. Be sure to get help from your QSA on this.
5 - The standard is much more technology-friendly
Recent years of technology development and cloud adoptions have meant the PCI DSS v3.2.1 has sometimes felt behind the times. In response to this, many terms in PCI DSS v4.0 have now been given agnostic descriptions. For example, a firewall is now described as a “network security control” and a server is now a “system.”
Moving to this approach and using fewer technology-specific terms removes any restrictions that organisations may have felt in PCI DSS v3.2.1, and they can apply the standard to their chosen technology stack much more easily.
6 - Risk Assessment plays a greater part in requirements throughout the standard
PCI DSS v4.0 recognises that risk management must be a feature of the overall compliance program. For too long, organisations have struggled to handle certain events like end-of-life for products, crypto periods, and use of security protocols, failing to recognise their significance and then encountering issues. By bringing them into the risk assessment process, will allow you to maintain those elements in your in-scope systems in a context-specific manner.
In conclusion
The release of PCI DSS v4.0 is a big deal in the payment card industry, and the changes and new additions will challenge some organisations, but the message right now is to keep calm and carry on.
Do
Review the new standard, understand what your bank or customers expect from you, and work with your QSA to build a plan. LRQA will be releasing more information and guidance over the coming weeks and months to help our clients transition to PCI DSS v4.0.
Don't
There’s no need to rush into anything but don’t put it off for too long. Some of the changes won’t be overly challenging, but some might. Most organisations will have a least one more cycle of assessing against PCI DSS v3.2.1, but don’t wait until that is completed before you begin to plan.
Compliance will apply from the go-live date of PCI DSS v4.0 in Q1 2024. Even if your annual assessment doesn’t come around until later that year, your QSA will expect to see that the PCI DSS v4.0 requirements have been in place at least going back to the v3.2.1 retirement date.