Find Your Specialist


Contact Us

    Go Back

    What to Expect from PCI DSS v4.0

    On Day 1 of the PCI Security Standards Council’s North America Meeting in Vancouver, Emma Sutcliffe, Global Head of Standards, kicked off the conversation. She previewed what we should expect from the upcoming Request For Comments (RFC) period, the version 4.0 draft of the Data Security Standard (DSS), and the goal of adding flexibility and support of additional methodologies to achieve security objectives.

    What hasn’t changed?

    Although the titles of some of the 12 requirements will change, the overall structure has not.

    What has changed?

    There will be two options for implementation and validation: defined and customized.

    Defined follows the current PCI DSS requirements and testing procedures. Customized is a new approach focused on the intent of each PCI DSS requirement. The new approach is meant to provide greater flexibility for entities to demonstrate how their security controls are implemented to meet objectives.  An entity must provide documentation that describes the customized implementation, which includes the “who, what, where, when and how” of the controls; the evidence required to support the stated intent; and how the controls are maintained and how effectiveness is ensured.  An assessor must review the information provided by the entity to support the customized approach, define the testing procedures, and document the results of the testing within the ROC.

    Either approach (defined or customized) may be used for a PCI DSS requirement and both options can be used within the same PCI DSS assessment.

    What might change?

    The Council is still uncertain on the fate of compensating controls, since they were intended to provide flexibility and a customized approach for each requirement.  The good news is that using the customized approach will not require a business justification or technical constraint, whereas a compensating control did.

    What can we expect in v4.0 of the Data Security Standard?

    • The overall structure will stay the same
    • The titles of the requirements have changed to more accurately represent each purpose
    • Additional direction and guidance in the Overview
    • The requirements will be organized into Security Objectives
    • Clear identification of intent (objective) for each requirement
    • The requirements will be refocused as outcome-based statements
    • Expanded guidance

    What will be included in the RFC?

    • Full draft of PCI DSS v4.0
    • Summary of changes and new approach
    • Guidance for getting the most out of the RFC
    • Sample reporting template for customized validation
    • Instructions for accessing and completing the RFC

    What is the timeline?

    • First RFC of v4.0 draft: October 2019
    • Second RFC of v4.0 draft: Planned next year

    Stay tuned. Frazier & Deeter’s PCI team will share more updates from the PCI SSC meeting, as well as throughout the process of the RFC and the move to version 4.0 of the Data Security Standard.

    About the Author:

    Derrick Rice CISSP, CISA, QSA is a member of Frazier & Deeter’s Process, Risk & Governance Practice. PCI is one of his areas of expertise.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled