The PCI Data Security Standard needs industry input to progress (PCI DSS). They want more input to make the PCI DSS v4.0 validation papers as accurate as possible. The Council targets Q4 2021 for PCI DSS v4.0 completion owing to expanded stakeholder comment opportunities.
The new timeline will still allow companies to migrate from PCI DSS 3.2.1 to 4.0 and comply with any future-dated standards.
PCI DSS 4.0 timeline:
In response to a previous statement, the PCI Security Standards Council has altered its goal timetable to release the PCI DSS v4.0 to Q1 2022 from Q4 2021. As a result of this timeline, it is recommended that a separate request for comments (RFC) be included. The community is asked to provide input on the PCI DSS v4.0 draft validation documents.
Because of the significance of this modification, a draft of the standard will be made available to Participating Organizations, QSAs, and ASVs before publication. Before the official release of the standard version 4.0, stakeholders will have an additional opportunity to familiarize themselves with the standard version 4.0 during the preview period.
The preview for Participating Organizations, QSAs, and ASVs is scheduled to begin in January 2022. It will include a draft of the PCI DSS v4.0 and a Summary of Changes document, among other things. The official release of the standard’s final versions and validation papers and the first round of standard translations is planned to take place in March 2022.
Additionally, beginning in March 2022, RFC participants will have access to the RFC Feedback Summaries for the two most recent RFCs—the PCI DSS v4.0 Draft v0.2 (2020) and the PCI DSS v4.0 Validation Documents—as well as the PCI DSS v4.0 Validation Documents (2021).
According to the schedule, training QSAs and ISAs to implement PCI DSS v4.0 is expected to begin in June 2022.
We have amended the schedule to incorporate an extra RFC for validation documents, the PCI SSC stakeholders preview period, and the planned public release of the PCI DSS v4.0 standard, validation documents, and other materials.
Benefits of upgrading to PCI DSS 4.0?
A comprehensive set of information security rules for businesses that collect and process credit card information from customers is the PCI Data Security Standard (PCI DSS).
The PCI Security Standards Council is constantly analyzing and improving the way the sector operates and conducts business. Its primary goal is to improve the way businesses manage data collection, storage, distribution, and security in general. As a result, it provides fresh updates regularly to assist organizations in enhancing their operations and guaranteeing regulatory compliance in these areas.
As the PCI DSS 4.0 edition approaches, the Payment Card Industry Security Standards Council receives increasing support for launching or revising new payment initiatives (PCI SSC).
We anticipate that the credit card data security regulations will have a significant impact on six significant sectors. Some of the topics covered are security, customized implementation, authentication, encryption, monitoring, and methods for doing necessary control testing.
What Are Some Critical Changes With PCI DSS v4?
1. Customized Implementation to Meet Security Controls’ Intent
This is the most significant change coming with PCI DSS 4.0 next year. To emphasize primary security objectives, the 12 criteria will be restructured.
Assure the standard meets the payments industry’s security criteria. Increase flexibility and support for alternative security measures. Continually educate the public on security. Validation procedures should be enhanced.
The new customized validation technique will help define the security outcomes for each criterion. With PCI DSS 4.0, businesses can either follow the prescribed procedure or tailor the control. In addition, companies can meet requirements by proving that the requirement’s goal is met without providing an operational or technical explanation.
2. Greater Security Obligations
To guarantee all retailers securely store, handle, and transfer cardholder data. PCI DSS 4.0 is expected to increase the bar and build on PCI-DSS v3.2.1’s confidence. The Summary of Changes will very definitely include tougher security measures. Top management, especially CISOs and CTOs, should plan for budget modifications to meet the new criteria.
3. Focus on NIST Multi-Factor Authentication/Password Guidance
The upgraded edition features NIST/Password Guidance. In addition, for payment and control process log-ins, the PCI SSC stresses stronger authentication. It also collaborated with EMVco to adopt the 3DS Core Security Standard for transaction authorization.
Businesses can now design their pluggable authentication standards to meet data security regulations. They can also be scaled to suit the business’s transaction goals.
4. More Encryption in Trusted Networks
The demand for more specific standards for cardholder data protection has increased. One of the most serious concerns facing financial institutions is malicious code. Once the code is linked into the network, data from cardholders can be retrieved. With PCI DSS 4.0, best practices and recommendations are provided for appropriately securing network connections.
5. Monitoring: Technological Advancement Requirements
Expect more risk-based strategies in PCI DSS 4.0. Businesses are looking towards pluggable solutions for their information systems, akin to the PCI Software Security Framework. These technologies allow businesses to maintain standards while speeding up process deployment without requiring a dedicated control room.
6. DESV Testing Frequency Requirements
It is a more demanding level of critical control testing, requiring additional testing. Designated Entities Supplemental Validation (DESV) was previously only required for compromised firms. This new version may require all businesses to comply.
The PCI SSC has finished updating the Payment Card Industry Data Security Standard (PCI DSS) and expects it to benefit small businesses.
It is great news for smaller businesses struggling to comply. “The PCI 4.0 standard will be introduced in stages over the following months,” according to an IT Pro Portal article. We’re thrilled for this update!