payment card security
Mike Ciunci
Listen to: "PCI DSS 4.0: What Changes Can We Expect?"

PCI DSS 4.0 Release Date: Mid-2021

For companies that transmit and use payment card information from consumers, the Payment Card Industry Data Security Standard (PCI DSS) provides the most comprehensive information security standards.

The request for comments (RFC) period for PCI DSS 4.0 closed last November, and the council plans to release the version 4.0 by the middle of 2021. Because many of the PCI security controls are 10 years old and major changes haven’t been made since 2015, industry insiders believe that PCI DSS 4.0 will be significant. We wanted to outline the changes that we can expect when this updated version comes out next year.

What Will Change When PCI DSS version 4.0 Is Released?

There has been growing support for new payment initiatives to be introduced or changed for this PCI DSS 4.0 version by the Payment Card Industry Security Standards Council (PCI SSC).

We anticipate there to be six specific areas that may be changed with the credit card data security standards. These areas are focused on security, customized implementation, authentication, encryption, monitoring, and critical control testing frequency methods.

6 Key Changes to Anticipate with PCI DSS 4.0

Here’s a closer look at the main PCI DSS 4.0 changes to plan for:

1. Flexibility: Customized Implementation to Meet the Intent of Security Controls

This is probably the biggest change that will be ushered in with the release of PCI DSS 4.0 next year. The 12 requirements will be shifted to focus on the main security objectives:

  • Ensure the standard continues to meet the security needs of the payments industry,
  • Add flexibility and support of additional methodologies to achieve security,
  • Promote security as a continuous process,
  • Enhance validation methods and procedures.

The new, customized validation approach will sharply define the security outcomes linked to each requirement. With PCI DSS 4.0, organizations will then be able to choose to perform the control as prescribed or opt for customized implementation. With customized implementation, companies can comply by showing that the intent of the requirement is met without needing to provide an operational or technical justification.

Similar to compensating controls, this change will allow businesses more flexibility in modifying implementation procedures and meeting requirement intent. To verify effectiveness, external assessors must review the documentation and thoroughly test each control with custom implementation.

2. Security: More Stringent Requirements

The ultimate goal of PCI DSS continues to be ensuring that all sellers safely and securely store, process, and transmit cardholder data. It is fair to assume that PCI DSS 4.0 will set the bar higher and build on the assurance of PCI-DSS v3.2.1. In addition to restructuring many of the requirements, the Summary of Changes will likely include stronger security standards. Top management, including CISOs and CTOs, should prepare to adjust budgets in order to allocate capital and operational funds to implement the new requirements.

3. Authentication: Deeper Focus on NIST MFA/Password Guidance

The PCI SSC has been working with the Europay, Mastercard and Visa consortium (EMVco) regarding more authentication standards applied to both control process access logins as well as for payment processes. One element that the new PCI DSS 4.0 version may focus on in greater detail is the use of a 3DS Core Security Standard during transaction authorization. The 3DS standard allows organizations to build pluggable authentication options to enable secure customer authentication. This helps ensure that controls meet the data security regulatory requirements, while being scalable to the company’s changing transaction objectives.

4. Encryption: Broader Applicability on Trusted Networks

With cyber threats becoming more prevalent in the industry, the need to keep cardholder data secure on trusted networks is imperative. One of the biggest threats that will need to be addressed involves the use of malicious code that can penetrate the network. As cardholder data is transmitted, this type of attack can harvest the information. So, we believe that PCI DSS 4.0 will provide guidance and best practices to fully secure network transmissions.

5. Monitoring: Technology Advancement Requirements

There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology is growing rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. The adoption of these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.

6. Critical Control Testing Frequency: Possible Inclusion of DESV Requirements

Many of the Designated Entities Supplemental Validation (DESV) requirements have been included in previous PCI DSS versions. So, the critical control testing frequency and the addition of controls may also make their way into this new PCI DSS version. The DESV requirements were usually reserved for companies that have experienced a breach. However, the requirements may become compliance standard for all businesses.

PCI DSS 4.0 Timeline

The request for comment (RFC) phase ended on November 30, 2019. Now, the PCI SSC is developing the new DSS version, but has pushed their expected release date to mid-2021.

In preparation of PCI DSS 4.0, we recommend that organizations plan for budgetary changes to adapt to the new requirements and additional risk-based security testing. Implementing more significant changes are likely to demand staffing and training efforts as well.

Related article: How to Keep Employees and Your Organization PCI Compliant and What Changes Are Coming for PA-DSS V3.2?

Obtain PCI DSS Assessment Testing

Handling and transmitting cardholder data, as well as performing transactions, needs to be performed in a secure information security environment with the correct controls in place to minimize risks. Learn whether your systems are PCI DSS compliant with specialized testing from I.S. Partners, LLC.

We make the process easier by offering a range of assessments and advisory services tailored to your business framework. With a PCI DSS Assessment, you can minimize risks, identify security vulnerabilities, and further protect cardholder data from breaches. Reach out to I.S. Partners by filling out the contact form below or calling 215-675-1400.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal