By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | March 12, 2019 @ 14:33
The assessment community has been hearing some chatter about upcoming changes to the Payment Card Industry Data Security Standards (PCI DSS). This is to be expected from time to time as technologies continue to evolve and methods utilized to secure cardholder data must also adapt. So, what can be expected with the latest revision?
As of this writing, the latest PCI DSS version is 3.2.1, which represents only a minor revision to the 3.2 standards. However, the upcoming release is expected to be versioned at 4.0, which semantic version numbering suggests will be a major release. It should be noted that these changes take time, and the PCI Security Standards Council (PCI SSC) always incorporates a transitionary period to allow organizations to implement effective controls before they become enforceable.
Last week, the PCI SSC released some overview information about the goals for PCI DSS 4.0. Although semantic versioning suggests this is a major release, the SSC stated, “the 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data.” The Council also identified the following key goals for the updated framework:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures.
Finally, the Council has indicated that whereas the exact timelines and release schedules are still currently unknown, the anticipated release date for the 4.0 standard is not expected until late 2020. At Contextual Security, we continuously monitor for these types of changes and work closely with our clients to ensure they experience a smooth transition with updated standards in an effort to eliminate surprises during assessment times. For more information about how our professional services can help you leverage the most out of your information security and compliance programs, visit us at https://www.contextualsecurity.com or e-mail firstname.lastname@example.org.