PCI DSS 4.0 is just around the corner

Even though it is a sector-specific regulation (payment cards), due to the continuous increase in the use of this payment method, PCI DSS has become a widely recognized standard.

It’s undeniable that in recent months, especially after the arrival of the pandemic, our payment habits have changed. We’ve seen changes not only in online transactions but also in in-person payments, where cash—although still the preferred method for in-store purchases—is gradually losing ground to card payments. This shift began with the arrival of COVID due to the fear of paying with physical money, and it has remained in the habits of consumers worldwide, where card payments are growing rapidly.

But what is PCI DSS certification and who does it affect?

If there is still any doubt about the standard, PCI DSS is a security certification aimed at reducing credit card-related fraud and increasing the security of the data involved in online transactions.

Complying with PCI DSS is complex and costly without the right partner, but it is necessary to protect users, safeguard transactions, and establish a mark of quality. This standard, developed by the major credit card companies (VISA, MasterCard, Discover, JCB and AMEX), seeks to ensure the protection of data and the security of online transactions. It doesn’t matter what activity your organization performs or its size—if you process, store, or transmit card data, you must comply with the standard or risk losing your ability to process cards, facing rigorous audits, or being fined with high penalties.

PCI DSS 4.0 about to be released

PCI DSS is currently at version 3.2.1, released almost 4 years ago in May 2018. Due to an extended period for receiving comments and suggestions regarding PCI DSS validation documents (Report on Compliance (ROC) templates, Self-Assessment Questionnaires (SAQs), and Attestation of Compliance (AOC)), the PCI Security Standards Council (PCI SSC) has formally announced that version 4.0 of the PCI DSS standard will be released in the coming weeks, after a long review period.

No major changes are expected in the current 12 requirements, as they remain the fundamental basis for protecting payment card data. However, the standard is expected to evolve to adapt to changes in technologies, risk mitigation techniques, and the threat landscape. There will also be greater flexibility in the methods used to meet security objectives.

Key objectives of PCI DSS 4.0

According to the PCI SSC, the key objectives followed during the development of version 4 are:

Ensure that the standard continues to meet the security needs of the payments industry.
Add flexibility and support for additional methodologies to achieve security.
Promote security as an ongoing process.
Improve validation methods and procedures.

Looking deeper into the little information available about the upcoming changes in version 4, we can highlight the most significant ones:

Greater flexibility in implementation: until now, the standard described step-by-step the “what” and also the “how.” In the new version, customized implementation will be possible, allowing greater flexibility in how companies achieve compliance with certain requirements by designing their own controls. However, the effectiveness of the customized control will need to be properly justified for the corresponding requirement. Therefore, each company may choose between the existing prescriptive implementation or the new customized approach. Compensating controls will no longer be an option.
New and more stringent requirements: while the flexibility in achieving compliance increases, the new version will restructure requirements, making them more stringent—especially those governing how entities transmit, process, and store cardholder data.
Multi-factor authentication (MFA): PCI SSC and the consortium formed by Europay, MC and Visa have worked closely to create better standards for both access processes and payment processes. Therefore, some controls in PCI DSS 4.0 will likely be closely aligned with those in PCI 3DS.
Greater adoption of data encryption: due to the increasing number of data leaks and the continuous emergence of new vulnerabilities, data encryption has gone from being a recommendation to becoming mandatory in all environments. The new standard will increase its focus on this, providing new measures to enhance security in card data transmission.
Expansion of DESV (Designated Entities Supplemental Validation): until now, only certain entities that had experienced a security incident—or for any other reason considered relevant by the Council—were required to meet additional requirements. Some of these requirements are expected to apply to all entities in version 4.0, especially those related to the periodic review of critical controls.

Now that we have an overview of the changes expected in the new version, all that remains is to know when it will arrive.

In the latest timeline published by the PCI SSC, we can observe a transition period for the migration from PCI DSS v3.2.1 to v4.0, spanning from April 2022 to the first quarter of 2024. However, since the final exact date has not yet been published, these dates may vary.

Meanwhile, if you need to ensure data protection and security in online financial transactions, minimize fraud, and build trust, ask us how. We’ll be happy to help and make the process smooth and simple.