PCI SSC Publishes New Data Security Standard | Practical Law

PCI SSC Publishes New Data Security Standard | Practical Law

The Payment Card Industry Security Standards Council (PCI SSC) has published a new version of its data security standard to meet the evolving security needs of the payments industry, promote security as a continuous process, increase flexibility for organizations, and enhance validation methods and procedures.

PCI SSC Publishes New Data Security Standard

Practical Law Legal Update w-035-0651 (Approx. 3 pages)

PCI SSC Publishes New Data Security Standard

by Practical Law Data Privacy & Cybersecurity
Published on 31 Mar 2022USA (National/Federal)
The Payment Card Industry Security Standards Council (PCI SSC) has published a new version of its data security standard to meet the evolving security needs of the payments industry, promote security as a continuous process, increase flexibility for organizations, and enhance validation methods and procedures.
On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) announced in a press release that it has released version 4.0 of the PCI Data Security Standard (PCI DSS v4.0) to address the evolving security needs of the payment industry. PCI DSS v4.0, which will replace version 3.2.1, aims to:
  • Ensure that the PCI DSS continues to meet the security needs of the payments industry.
  • Promote security as a continuous process.
  • Enhance validation methods and procedures.
  • Add flexibility and support of additional methodologies to achieve security.
Examples of changes in PCI DSS v4.0 include:
  • Updated firewall terminology to network security controls.
  • Expansion of the requirement to implement multi-factor authentication for all access into the cardholder data environment.
  • Increased flexibility for organizations to demonstrate how they use different methods to achieve security objectives.
  • Targeted risk analyses that allow organizations to define how frequently they perform certain activities that best suit their business needs and risk exposure.
Further details about the updates can be found in the PCI DSS v4.0 Summary of Changes document.
To provide organizations time to understand and implement any necessary updates, the current version of the PCI DSS will remain active until March 31, 2024. In addition to the transition period, organizations have until March 31, 2025 to phase in new requirements that are initially identified as best practices in PCI DSS v4.0.
More information on the implementation timeline can be found on the PCI Perspectives Blog.