PCI DSS v4.0 – A major update is planned

The PCI SSC (Payment Card Industry Security Standards Council) has started preparations for version 4.0 of the data security standard (current version is v3.2.1), with the major updated version due to be released late 2020.

What has PCI SSC said so far about what to expect in version 4.0?

PCI DSS v4.0 will incorporate input received from global PCI SSC stakeholders during the 2017 Request For Comments (RFC) period. Some of the specific areas that stakeholders asked PCI SSC to review include:

  • Authentication, specifically consideration for the NIST (National Institute of Standards and Technology) multi-factor/password guidance;
  • Broader applicability for encrypting cardholder data on trusted networks;
  • Monitoring requirements to consider technology advancement; and
  • Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS (data security standard) requirements.

PCI SSC will also conduct additional RFC periods with PCI SSC stakeholders prior to publication of PCI DSS v4.0. Information about the RFCs will be posted on the PCI SSC website, and PCI SSC stakeholders will receive communications with additional information on how to participate.

As part of the RFC process, all feedback received will be reviewed and considered in the development of the standard.

Key high-level goals for PCI DSS v4.0 are:

  • Ensure the standard continues to meet the security needs of the payments industry;
  • Add flexibility and support of additional methodologies to achieve security;
  • Promote security as a continuous process; and
  • Enhance validation methods and procedures.

PCI DSS v4.0 is not anticipated for release prior to late 2020. Specific timing on the release is dependent upon feedback received during the development period. PCI SSC will keep stakeholders updated on timing throughout the process.

A PCI SSC community meeting normally occurs around the release period, so expect information to be available during this meeting. I would expect some high-level information to be released prior, so it’s worth subscribing to the PCI SSC website for the latest blogs, information and to kept abreast of developments.

When the standard is released, the PCI SSC will publish information online, such as the new standard, updated SAQ’s, etc. In addition, and for prior versions of the standard, information published has included a document showing the difference to the current and new PCI DSS requirements. Feedback from industry RFCs will not be published until the update is released.

At Gemserv, we will be reviewing information when available and publishing practical guidance to help understand and implement any recommendations and/or changes to the standard. Our guidance will be published on the Gemserv website.

To view the original PCI SSC articles about PCI SSC v4.0, please follow the links below:



Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out


Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors