Securing the Future of Payments

PCI SSC Publishes PCI Data Security Standard V4.0 Update

The recent publication of the PCI Data Security Standard (PCI DSS) version 4.0 reflects the importance of securing payment data and keeping up with the ever-evolving needs of the global payment industry. To create a comprehensive and flexible framework, experts from more than 200 organizations provided over 6,000 pieces of feedback, ensuring a more versatile and effective solution for securing account data.

PCI DSS v4.0 Changes On March 31, 2024

To assist your organization in adapting to the changes introduced by PCI DSS v4.0, the earlier version (v3.2.1) will remain active until March 31, 2024, giving you ample time to implement any required updates. You can refer to the implementation timeline on the PCI Perspectives Blog for more details.

Critical changes in PCI DSS v4.0 concentrate on these key aspects:

• Addressing the dynamic necessities of payment security
• Fostering a continuous security process
• Encouraging flexibility for organizations employing various methods to achieve security objectives
• Enhancing validation methods and procedures

Some notable updates in PCI DSS v4.0 include:

• Network security controls: Revised terminology from “firewall” supports a wider range of technologies that meet traditional security objectives.
• Multi-factor authentication (MFA) expansion: Requirement 8 now mandates MFA for all access to the cardholder data environment.
• Increased flexibility: Organizations can demonstrate how they achieve security objectives using different methods.
• Targeted risk analyses: Entities can define the frequency of certain activities based on their business needs and risk exposure.

Global Industry Input: Shaping a Standard to Safeguard Payment Data

The changes in PCI DSS v4.0 contribute to a more adaptable and responsive approach towards the payment and threat landscape. This updated standard guides organizations to secure account data in the present and future by reinforcing core security principles and offering flexibility for diverse technology implementations.

Complementing the updated standard, accompanying documents in the PCI SSC Document Library offer valuable insights into the transition process. Translations of the standard and Summary of Changes will be accessible in several languages, with further resources like podcasts, videos, and blog posts to support the community’s understanding.

Lastly, the PCI DSS Symposium on June 21 2022, offers an online education event for community members, covering important aspects of the updated standard. Assessor training for PCI DSS v4.0 will become available in June. Check the PCI SSC training resource page for the schedule of assessor training sessions.