What’s Coming in PCI DSS 4.0 and How Should You Prepare?

It’s been almost ten years since the last major Payment Card Industry Data Security Standard (PCI DSS) released a major set of new requirements. Put another way, the last time PCI released a new version, there was no Apple, Android, Google or Samsung Pay, the Ethereum blockchain had not yet been released, and the EMV liability shift had not yet occurred in the United States. Much has changed in the payments ecosystem, and merchants can expect significant changes forthcoming in PCI 4.0 for the standard to match the current state of our technology.

What Changes are Coming with PCI DSS 4.0?

While we at W. Capra have no crystal ball or spy technology, the buzz around PCI 4.0 is that the 12 core requirements from PCI DSS 3.2 will not change. In building upon these requirements for PCI DSS 4.0, merchants can expect the burden for proof of compliance to drastically evolve. Whereas this process was previously a “check-the-box” exercise, it will likely be incumbent upon the merchant to demonstrate a) understanding of intent of the law, and b) how the merchant will meet that intent.

Josh Kennedy, Senior PCI Security Consultant at W. Capra added, “There will be a requirement within organizations looking to maintain PCI Compliance to have a more in depth understanding of the how and why the security controls they use actually work.”

Based on the above, QSA’s will find themselves in a position of interpretation in audits. On the front end, this will place a greater burden of proof on a merchant’s technological capability. Merchants will therefore have to argue their case on behalf of their technology, which will require a true expertise of how their technology functions.

Merchants should also expect certain security trends, such as multi-factor authentication (MFA), that have achieved greater significance in recent years, to take a greater role in PCI DSS 4.0. When PCI 3.0 was released, it required that passwords be seven characters, alpha-numeric— as the industry’s best practices have obviously evolved beyond such standards, we anticipate a refresh in sys-admin policies and procedures will come into play with the introduction of PCI 4.0.

How Should You Prepare for PCI DSS 4.0?

The document itself is scheduled for release at the end this year, and compliance is required 18 months after publication. As such, it is reasonable to anticipate that you’ll need your PCI 4.0 Report on Compliance (ROC) in place by 2024 at the latest.

Until PCI DSS 4.0 is published, W. Capra recommends that merchants familiarize themselves with the Designated Entity Supplemental Validation (DESV) that lays out best practices and will likely come into play in 4.0. Since PCI DSS 4.0 will likely require merchants to increase how often they are validating their data environments (and since upcoming data privacy regulations mandate safe and clean handling of consumer data), we advise merchants to become familiar with their data environments immediately and to gain an expertise over their data and technological architectures. Toward this end, it’s important to ensure that not only knowledge, but processes, are buttoned up and as secure as possible.

For further discussion on PCI 4.0 and its potential implications to your merchant environment, contact Josh Kennedy at [email protected].