If your organization is involved with credit card processing in any way, the PCI DSS (Payment Card Industry Data Security Standard) is integral to your daily operations. The current PCI DSS v3.2.1 contains 12 Requirements within 6 goals which entails approximately 400 Control Items.
In 2019, The PCI Security Standards Council conducted a formal Request for Comment (RFC) among all participating organizations to update the current PCI DSS v3.2.1. Following a thoughtful review of over 3,000 feedback items collected, the result is now being unveiled in the enhanced PCI DSS v4.0.
The PCI DSS The stakeholder preview period has concluded, and a formal release is anticipated, for the PCI DSS v4.0 during these final days of March 2022. While details of the upcoming adjustments to the still-active PCI DSS v3.2.1 are only available to previewing participating organizations, the key priorities for v4.0 are to include more flexibility in an ever-evolving digital environment while maintaining the critical security foundation and addressing escalating risk opportunities. Kandyce Young, who serves PCI DSS as the Technical Standards Development Manager, had also hinted at changes including ways in which the fresh Software Security Framework is being supported by PCI DSS and updated best practices for third-party service provider relationships, and smaller details such as a definitive breakdown of timelines that appear in requirements.
While the formal release date is imminent, at this time training materials are expected to become available in mid-summer 2022, based on current information available.
As the newest version of data security standard commences with its roll-out, the Security Standards Council has advised that a seamless transition will be supported by recognizing the current version 3.2.1 as active for 18 months – commencing after all PCI DSS v4.0 materials are released, to include the formal requirements along with supporting documents and training materials. This means that both the PCI DSS 3.2.1 and the new PCI DSS v4.0 will run concurrently for approximately 2 years, with an initial projected retirement date for version 3.2.1 on March 31, 2024.
To ensure a smooth transition, while both v3.2.1 and v4.0 are running in tandem, an extra period of time will be defined for phasing controls that have been identified as “future-dated” requirements that are found in v4.0. “Future-dated” requirements are not currently mandatory, but rather, are intended as recommended best practices to prepare for requirements that will be implemented at a future date. Formal validation is not required prior to the formal requirement, however, if the organizational controls are compliant through exercising the “future-dated” advice, assessment, and validation prior to formal release are favorable.
With the imminent roll-out and grace period of 18 months, the transition from PCI DSS 3.2.1 to v4.0 does not need to be a cause for stress or concern. Here at Elevate, we know how important using credit card technology safely and security is crucial to the reputation of your organization. Our team is well-versed in standard PCI security practices and controls and is ready to assist your firm with a seamless transition to the updated standard.
- PCI DSS v3.2.1 Quick Reference Guide (pcisecuritystandards.org)