PCI DSS 4.0: What You Need to Know

It has been over three years since the Payment Card Industry Security Standards Council (PCI SSC) released version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) and just over two years since work began on PCI DSS 4.0. For this iteration of the standard, the request for comments (RFC) periods have been expanded and the interim drafts are being shared. Since the second request for comment phase just completed in November of 2019 and another is expected mid-2020, there could still be changes while the stakeholder comments are evaluated and incorporated. The enhanced feedback is expected to materially shape the final release expected in late 2020, although the core requirements are not expected to change substantially.

What’s Ahead for PCI DSS 4.0

With an increasingly interconnected technology landscape combined with progressively sophisticated cyberthreats, the new standard must evolve. It is expected to increase flexibility for organizations to reflect the broad range of security controls necessary today for risk mitigation. The areas of focus for PCI DSS 4.0 are:

• Safeguard the needs of the payments industry
• Incorporate flexibility for new security methodologies
• Continuous improvement for security controls
• Enhanced validation

Authentication

The PCI SSC has been working with the Europay, Mastercard and Visa consortium to incorporate the 3DS Core Security Standard during credit card authorization. The 3DS standard enables organizations to build scalable secure authentication services designed to meet regulatory requirements and protect consumers.

Encryption

Threats from malware can be encountered during the transmission of cardholder data during payment transactions. PCI DSS 4.0 will provide enhanced guidance for securing network transmissions and preventing the harvesting of sensitive data.

Monitoring

The new standard may include the ability of businesses to use pluggable solutions for risk mitigation. It will allow for faster deployment without having the processes concentrated in any specific control environment.

Testing Frequency

A form of testing called Designated Entities Supplemental Validation (DESV) was previously reserved for companies that had experienced breaches. With this next release, PCI DSS 4.0 is expected to include DESV critical controls testing as standard for all companies.

Paragon Payment Solutions is the trusted integrated payments provider and strategic payments partner for software providers and their customers. To find out more about our services or how we can help your company limit the scope of PCI compliance, check out our guide to PCI compliance.