Find Your Specialist


Contact Us

Go Back

What to Expect from PCI DSS v4.0

On Day 1 of the PCI Security Standards Council’s North America Meeting in Vancouver, Emma Sutcliffe, Global Head of Standards, kicked off the conversation. She previewed what we should expect from the upcoming Request For Comments (RFC) period, the version 4.0 draft of the Data Security Standard (DSS), and the goal of adding flexibility and support of additional methodologies to achieve security objectives.

What hasn’t changed?

Although the titles of some of the 12 requirements will change, the overall structure has not.

What has changed?

There will be two options for implementation and validation: defined and customized.

Defined follows the current PCI DSS requirements and testing procedures. Customized is a new approach focused on the intent of each PCI DSS requirement. The new approach is meant to provide greater flexibility for entities to demonstrate how their security controls are implemented to meet objectives.  An entity must provide documentation that describes the customized implementation, which includes the “who, what, where, when and how” of the controls; the evidence required to support the stated intent; and how the controls are maintained and how effectiveness is ensured.  An assessor must review the information provided by the entity to support the customized approach, define the testing procedures, and document the results of the testing within the ROC.

Either approach (defined or customized) may be used for a PCI DSS requirement and both options can be used within the same PCI DSS assessment.

What might change?

The Council is still uncertain on the fate of compensating controls, since they were intended to provide flexibility and a customized approach for each requirement.  The good news is that using the customized approach will not require a business justification or technical constraint, whereas a compensating control did.

What can we expect in v4.0 of the Data Security Standard?

  • The overall structure will stay the same
  • The titles of the requirements have changed to more accurately represent each purpose
  • Additional direction and guidance in the Overview
  • The requirements will be organized into Security Objectives
  • Clear identification of intent (objective) for each requirement
  • The requirements will be refocused as outcome-based statements
  • Expanded guidance

What will be included in the RFC?

  • Full draft of PCI DSS v4.0
  • Summary of changes and new approach
  • Guidance for getting the most out of the RFC
  • Sample reporting template for customized validation
  • Instructions for accessing and completing the RFC

What is the timeline?

  • First RFC of v4.0 draft: October 2019
  • Second RFC of v4.0 draft: Planned next year

Stay tuned. Frazier & Deeter’s PCI team will share more updates from the PCI SSC meeting, as well as throughout the process of the RFC and the move to version 4.0 of the Data Security Standard.

About the Author:

Derrick Rice CISSP, CISA, QSA is a member of Frazier & Deeter’s Process, Risk & Governance Practice. PCI is one of his areas of expertise.

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.


Functionality cookies are cookies that support features of the Site, such as remembering your preferences.


These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

Tracking or Targeting

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.