PCI DSS Compliance 4.0: What You Need to Know?

Comments · 3048 Views

The Payment Card Industry & Data Security Standard (PCI DSS) is a security standard published by the PCI SSC and aimed at defining controls for the protection of the holder's data.

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard published by the PCI SSC and aimed at defining controls for the protection of the holder's data. 

Earlier, it was at version 3.2.1 released on May 17, 2018. Origin Before the publication of the first version of the PCI DSS standard, each of the payment card brands that are currently part of the PCI SSC had its own security program for the protection of cardholder data: American Express - Data Security Operating Policy (DSOP) Discover - Discover Information Security Compliance (DISC) JCB International - Data Security Program (DSP) MasterCard - Site Data Protection (SDP) Visa USA - Cardholder Information Security Program (CISP) Visa International - Account Information Security Program (AIS).

Each of these programs defined the security controls to be implemented, the entities that had to comply with those controls, the compliance reporting processes, and the non-compliance fees and sanctions. 

As we will recall, version 3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS) was published in May 2018. 

This was a minor revision of version 3.2, the main objective of which was to remove a series of effective dates for various controls that had already been met and correct some misprints, without including any new controls or extending the scope of existing controls. 

Also, it was characterized because it was a version published outside the 3 years established within the life cycle of the PCI SSC for its standards.

When will PCI DSS be released? 

As far as is known, the PCI SSC will continue along the same lines of publishing its standards outside of these cycles - with which its 3-year life cycle program for the publication of PCI DSS and PA DSS will officially become obsolete. 

It has announced the release of PCI DSS version 4.0 before the end of 2020. This is an estimated date, as it all depends on the work of analyzing the comments received in 2017 by the working groups.

PCI – DSS 4.0 – The latest Version:

PCI-DSS 4.0, is the latest version of the Payment Card Industry Data Security Standard. It is predicted to be released in mid-2021. 

Similar to all its versions of PCI-DSS, 4.0 will be a complete set of guidelines intended at securing systems involved in the storage, transmission, and processing, or credit card data.

What's new in PCI DSS version 4.0?

  • Among the novelties that will be incorporated in this new version are the following: Alignment of authentication controls with NIST (Special Publication 800-63) multi-factor authentication and password guides (MFA), including protection of critical accounts, restriction of the use of one-time passwords ("One Time Password" - OTP) based on SMS and email and general recommendations for the selection of passwords and their complexity. 
  • Use of encryption in traffic within trusted networks. Incorporation of various controls from PCI DSS Schedule 3 (Designated Entity Supplemental Validation) as regular PCI DSS controls. 
  • Added support for additional methodologies for environment security management. 
  • Optimization of validation methods and procedures. 
  • Improvement of existing controls related to monitoring to incorporate current technological changes.