The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard. PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
The current version of PCI DSS, 3.2.1, will remain active for two years until it is retired on 31 March 2024. Once assessors have completed training in PCI DSS 4.0, organizations may assess to either PCI DSS 4.0 or PCI DSS 3.2.1 and apply the standards as per the requirements.
Over the course of three years, more than 200 organizations provided over 6,000 items of feedback to ensure the standard continues to meet the complex, ever-changing landscape of payment security.
PCI DSS 4.0 changes
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Expansion of Requirement 8 to implement MFA for all access into the cardholder data environment.
- Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.