There is still a lot of work going on on the new version of the security standard for credit card data PCI DSS. The PCI Security Standards Council (PCI SSC) is planning to replace the previous version PCI DSS v3.2.1 with the upcoming version PCI DSS v4.0. PCI experts at usd AG have been following the development very closely and also provided feedback on the first draft in the “Request for Comment (RFC)” phase last year.
We have summarized the most important questions on the current status for you below:
When can we expect the release of PCI DSS v4.0?
Currently, the release of the final version of PCI DSS v4.0 is planned for the second quarter of 2021. Supporting documents such as SAQs (Self-Assessment Questionnaires), ROC-Templates (Report on Compliance) and the PCI DSS Glossary will be published only a few months after the final version of PCI DSS v4.0, towards the end of 2021.
PCI DSS v4.0 is undergoing a comparatively long development phase until the official release. What are the reasons behind this?
The PCI SSC refers to version 4.0 as the most significant change since PCI DSS v1.0, since the current version 3.2.1 no longer reflects the rapid technological changes we see in the field of IT. It must be fundamentally revised to account for technologies such as cloud services and microservices that are used more and more.
In addition, feedback from the PCI community is extremely important to the Council. It has therefore deliberately chosen an extended development phase for the standard in order to provide stakeholders such as QSA companies with sufficient time and opportunities for their feedback.
The first opportunity to provide feedback on the previous PCI DSS v4.0 draft took place during the RFC in 2019 and resulted in over 3000 comments, which are now being carefully evaluated. Based on this, a revised draft will be presented in autumn 2020. With the publication of the second draft, a second feedback round for the stakeholders will begin. They will also be informed about any updates through quarterly webcasts and at the PCI Community Meeting at the end of the year.
What does the release of the new PCI DSS version mean for affected companies?
A clearly defined transition phase is provided for companies that must be certified according to PCI DSS in order to check the changes and adapt their processes and systems accordingly: PCI DSS v3.2.1 will stay valid for another 18 months. This phase will not start until all PCI DSS v4.0 documents have been published – i.e. not only the actual standard, but also all supporting documents and training.
During the transition period from early 2022 to mid 2023, both standards, PCI DSS v4.0 and PCI DSS v3.2.1, will thus be valid at the same time. Affected companies can decide together with their QSA against which standard they want to be certified during this period.
In version 4.0, new requirements are designated with a future date, which will give companies time to complete necessary implementations even beyond the transition phase. These requirements will be considered best practices until the end of the specified future date and therefore will remain optional during this period.
Should companies already prepare for the new standard?
The PCI DSS v4.0 standard is still in development and, as described, a sufficiently long transition period will be available after its publication. The best preparation is to align company processes with the PCI DSS v3.2.1 requirements and thus strive for comprehensive security measures. Even though requirements were mentioned in the first draft, it is not certain that they will be included in the final standard. The PCI experts at usd AG are monitoring all updates for you and will also be actively involved in the next RFC phase.
Do you have questions regarding PCI DSS v4.0 or need support? Contact us, we are happy to help!
Please note: All dates are based on current projections and are subject to change.