PCI DSS 3.2.1 Changes and What’s to Come From Version 4.0

Published June 6, 2016 by 5 min read

Being compliant with the Payment Card Industry Data Security Standard 3.2.1, (PCI DSS version 3.2.1), launched in 2019, soon won’t be good enough for organizations accepting payments using the major credit card brands. That’s because the Payment Card Industry Security Standards Council (PCI SSC) has nearly completed a new version, PCI DSS 4.0, slated for launch in mid-2021.

Noncompliance with this update, as with the previous versions, is not an option. If your organization accepts credit card or debit card payments either as ecommerce transactions or in person, it must demonstrate PCI DSS compliance

Why Update PCI DSS?

When new technologies come along or hackers shift tactics, security controls need to change, as well. That’s why the PCI Security Standards Council so frequently updates the PCI Data Security Standard (PCI DSS), which governs the protection of cardholder data and the cardholder data environment (CDE).

For the version 4.0 update, the council has been considering how to continue protecting card data in the face of technological advancements and emerging security threats. 

The council will take into account new techniques for risk mitigation and today’s challenges, such as such as an increased need for remote access control for online payments. 

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework intended to help merchants and service providers protect credit and debit card transactions from data breaches.

PCI DSS is not a law or regulation, but an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must comply with PCI DSS. If there’s a data breach and your security controls are found to be out of PCI compliance, the penalty could be steep fines and even a loss of card-payment privileges.

Highly prescriptive, the standard includes six goals, 12 PCI DSS requirements and 251 sub-requirements, all designed to help your PCI DSS compliance program enact appropriate security policies

PCI DSS requires that payment service providers, such as payment applications, be compliant, as well. 

And it allows for businesses of various sizes to meet different requirements. Those with the most payment transactions per year (Level 1) must undergo quarterly reviews, or vulnerability scans, and a full-blown annual audit of their critical security control systems. The requirements change for Levels 2 and 3. Those at the bottom of the rung, Level 4, can choose to complete a self-assessment questionnaire (SAQ) instead of undergoing an audit.

PCI DSS: A Brief History

PCI DSS’s origins date to 1999, when Visa developed a Cardholder Information Security Program in response to rampant increases in credit card fraud via the (new) Internet. Other major credit-card brands—Mastercard, Discover, American Express, and JCB—followed suit with their own security programs. In 2004 these five jointly launched PCI DSS 1.0.

In 2006, the card brands added financial institutions, merchants, processor companies, software developers, point-of-sale vendors, and others to their security initiative, forming the PCI Security Standards Council (PCI SSC). The council made the first revisions to the standard, PCI DSS 1.1.

Subsequent revisions have been issued since, all the way to PCI DSS 3.2.1, which took effect Jan. 1, 2019. All merchants as well as payment and internet service providers that process, store, or transmit transactions involving any of these cards must comply with PCI DSS 3.2.1.

What Was New in 3.2.1?

The previous PCI DSS update, PCI DSS 3.2.1, made only very minor changes to PCI version 3.2. It didn’t impose new requirements, but only clarifications.

It changed or removed dates in PCI DSS version 3.2 because those dates had passed. For instance, it eliminated PCI DSS 3.2‘s reference to a deadline for service providers to move from SSL/early TLS 1.0 to TLS 1.2.

It made clarifications to Appendix B, making a wording change and removing multi-factor authentication (MFA) from a “compensating control” example because MFA is required for all non-console administrative access to payment card systems. It also added the use of one-time passwords as an alternative control for this type of access.

Now, the PCI SSC is preparing to release another update–PCI DSS 4.0, scheduled to take effect mid-2021.

What to Expect from PCI DSS 4.0?

Although the most recent update to PCI DSS just took effect in 2019, some of its security controls are 10 years old. The last major changes to the standard took place in 2015, so most experts expect major revisions to PCI DSS 4.0. 

The security goals of PCI DSS 4.0 include:

  • Continue to meet the security needs of the payments industry for the protection of cardholder data such as primary account number, card number, and other payment data
  • Add flexibility and support of additional methodologies to achieve security 
  • Promote security as a continuous process
  • Improve validation methods and procedures

What’s new in 4.0? Here’s a sneak peek. 

A more flexible, customizable framework

Up to now, PCI DSS has provided specific, detailed requirements telling organizations exactly what they must do to comply with the standard. It provides not merely the “what” of CDE security, but also the “how.” If you can’t meet a requirement in the way prescribed, you must implement a “compensating control,” which can be difficult and burdensome.

PCI-DSS 4.0 replaces “compensating controls” with “customized implementation.” It states the objectives and allows you to design your own security controls to meet them–with the approval of your Qualified Security Auditor (QSA). This assessor will review your documentation and test each custom control.

This added flexibility may save your organization time and money by enabling you to use the technologies of your choice to achieve PCI DSS compliance.

More stringent security requirements

PCI DSS 4.0’s Summary of Changes is expected to include new requirements for the security of your CDE. Already, for example, your security systems should be using network segmentation to separate your CDE from the rest of your system components. This is not only good security, but it also can limit the scope of your PCI DSS audit, making it faster, easier to achieve, and less costly. Your executive management should be planning ahead for the implementation of more stringent security controls, and budget accordingly.

NIST MFA/password authentication

The Europay, Mastercard, and Visa consortium (EMVco) and the PCI SSC are working together to add authentication standards for process-access logins and payment processes. These authentication processes are also expected to be more flexible while enabling more secure customer authentication. 

More guidance on encryption

Blocking malicious code from hijacking your CDE and stealing cardholder data is increasingly important. Securing network transmissions using such tools as encryption is key, and v4.0 is expected to provide guidance for doing so. 

Expanded DESV requirements

Until now, only enterprises that have experienced a security breach have needed to meet  Designated Entities Supplemental Validation (DESV) requirements regarding the frequency of testing of critical controls and the addition of controls. Some expect that v4.0 will apply these requirements to all businesses.

Stay on Top of Changes to PCI DSS

Organizations that use ZenGRC to manage their PCI DSS compliance don’t need to worry or fret over meeting the new requirements in PCI DSS 4.0. 

They’ll know as soon as the new version is launched what they need to do to maintain compliance.

They’ll see on Zen’s user-friendly, color-coded dashboards where compliance gaps exist and how to fill them. 

They can conduct unlimited self-audits to ensure that they pass their external audits with flying colors. 

Their PCI DSS compliance assured they’ll sleep better at night, and can devote their days to other, more pressing tasks.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo