Find Your Specialist


Contact Us

    Go Back

    What to Expect from PCI DSS v4.0

    On Day 1 of the PCI Security Standards Council’s North America Meeting in Vancouver, Emma Sutcliffe, Global Head of Standards, kicked off the conversation. She previewed what we should expect from the upcoming Request For Comments (RFC) period, the version 4.0 draft of the Data Security Standard (DSS), and the goal of adding flexibility and support of additional methodologies to achieve security objectives.

    What hasn’t changed?

    Although the titles of some of the 12 requirements will change, the overall structure has not.

    What has changed?

    There will be two options for implementation and validation: defined and customized.

    Defined follows the current PCI DSS requirements and testing procedures. Customized is a new approach focused on the intent of each PCI DSS requirement. The new approach is meant to provide greater flexibility for entities to demonstrate how their security controls are implemented to meet objectives.  An entity must provide documentation that describes the customized implementation, which includes the “who, what, where, when and how” of the controls; the evidence required to support the stated intent; and how the controls are maintained and how effectiveness is ensured.  An assessor must review the information provided by the entity to support the customized approach, define the testing procedures, and document the results of the testing within the ROC.

    Either approach (defined or customized) may be used for a PCI DSS requirement and both options can be used within the same PCI DSS assessment.

    What might change?

    The Council is still uncertain on the fate of compensating controls, since they were intended to provide flexibility and a customized approach for each requirement.  The good news is that using the customized approach will not require a business justification or technical constraint, whereas a compensating control did.

    What can we expect in v4.0 of the Data Security Standard?

    • The overall structure will stay the same
    • The titles of the requirements have changed to more accurately represent each purpose
    • Additional direction and guidance in the Overview
    • The requirements will be organized into Security Objectives
    • Clear identification of intent (objective) for each requirement
    • The requirements will be refocused as outcome-based statements
    • Expanded guidance

    What will be included in the RFC?

    • Full draft of PCI DSS v4.0
    • Summary of changes and new approach
    • Guidance for getting the most out of the RFC
    • Sample reporting template for customized validation
    • Instructions for accessing and completing the RFC

    What is the timeline?

    • First RFC of v4.0 draft: October 2019
    • Second RFC of v4.0 draft: Planned next year

    Stay tuned. Frazier & Deeter’s PCI team will share more updates from the PCI SSC meeting, as well as throughout the process of the RFC and the move to version 4.0 of the Data Security Standard.

    About the Author:

    Derrick Rice CISSP, CISA, QSA is a member of Frazier & Deeter’s Process, Risk & Governance Practice. PCI is one of his areas of expertise.

    Related Articles

    • 01.25.2023

      A New Year Means New Privacy Laws

      Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, US state privacy laws have been passed in Virginia, Colorado, Connecticut, Utah and, most pressing of them all, California. The California Privacy Rights Act (CPRA) went…

      Continue Reading
    • 01.19.2023

      The New Rules Under Section 174

      Internal Revenue Code Section 174 has long been used by taxpayers to deduct certain expenses related to research and experimentation (R&E) in the current year.  The code section was originally enacted in 1954 to eliminate uncertainty in the tax accounting…

      Continue Reading
    • 12.20.2022

      IRS Customer Service May Improve in 2023

      With 4,000 new customer service representatives and plans to hire 700 new Taxpayer Assistance Center (TAC) employees, taxpayers soon may get relief from endless hold times, no in-person help and unresolved problems.

      Continue Reading
    • 12.12.2022

      Reduce Taxable Income with IRA Distributions Transfers

      IRA owners who are age 70½ or over can transfer up to $100,000 per year to charity to reduce their taxable income. These transfers, known as qualified charitable distributions or QCDs, offer end-of-the year tax savings and can count toward required minimum distributions (RMDs) that taxpayers who are age 72 must make each year. Think of it as a tax-free charitable rollover of IRA funds.

      Continue Reading
    • 12.02.2022

      UK R&D Tax Reliefs – Where Are We Now?

      In the November 2022 Autumn Statement, the Chancellor announced significant changes to the current Research and Development (R&D) tax reliefs. The key announcements were a change to the applicable rate of the Research and Development Expenditure Credit (RDEC) and a…

      Continue Reading
    • 12.01.2022

      1099s Required for 2022 Tax Year

      Taxpayers earning income from selling goods or providing services may receive a Form 1099-K, Payment Card and Third-Party Network Transactions, for the first time in early 2023, when the 2022 forms are due. The requirement to file Forms 1099 have…

      Continue Reading
    • 11.28.2022

      IRS Uncovers $3.1 Billion in COVID Fraud

      The IRS Criminal Investigation department (IRS-CI) has partnered with the Justice Department to uncover and prosecute fraudulent activities related to the federal government’s COVID relief programs. To date, the IRS has conducted 840 investigations involving fraud amounts totaling more than…

      Continue Reading
    • 10.25.2022

      IRS Inflation Reduction Act Increases Funds

      The Inflation Reduction Act of 2022, enacted in August, increased funding for the IRS by $80 billion through 2031 for enforcement activities, operations support, systems modernization and taxpayer services. The legislative language, Treasury Secretary Janet Yellen and IRS Commissioner Charles…

      Continue Reading

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled