PCI Data Security Standard 4.0

You’ve probably heard the rumors.  The PCI Council is prepping to release the PCI Data Security Standard 4.0.  To date the actual proposed changes have been kept private to the PCI-SSC stakeholders (so limited viewing).  The PCI-SSC stakeholders were asked to review the draft in the 2017 request for comments period.  Hopefully by the time the new standard is released it won’t be already outdated by the shifting and ever-changing cybersecurity landscape. PCI-DSS Version 4.0 is expected to be released in Q3 or Q4 of 2020.

There are a couple rumors floating around that the PCI DSS will be going after.  Those speculated topic areas are:

1. Authentication and specifically adding enhanced multi-factor authentication requirements.
2. More clarity about encryption on internal and trusted networks.  The thought being that data should be encrypted at all times, with a commercially reasonable cipher strength, any time and any place it’s being processed, transmitted, or stored.
3. Enhanced monitoring requirements.  This could be an important one for most companies. The standard for logging and what should be monitored is well established, so the expectation is that the PCI-DSS will include some requirements on what should be logged, tracked, monitored.
4. Heightened scrutiny on high value controls.  It’s looking like the PCI-DSS might actually shift away from the check-the-box approach on security controls and move more towards a risk based control model.  This shift might take place in a couple different forms but the hope is that the PCI-SSC will bridge the annual risk assessment with the annual report on compliance assessment to test high-value security controls more frequently.

The PCI-SSC has also been taking a look at the 12 core PCI-DSS requirements and trying to determine if changes should be made.  The expectation is that they will largely leave the 12 requirements in place with making minor changes to accommodate the threat landscape.