In this first part of this series «Analysis of PCI DSS v4.0» the history behind version 4.0 of the standard, the variables that influenced its change and the associated review and publication process will be analyzed. Then, in subsequent deliveries, a review will be made of the changes in the requirements and in the reporting documents and finally an action plan will be proposed for the alignment of the controls from version 3.2.1 to version 4.0 to meet the deadlines established by the PCI SSC and the payment brands.
All articles in the series Analysis of PCI DSS v4.0:
- Analysis of PCI DSS v4.0 – Part I: Introduction
- Analysis of PCI DSS v4.0 – Part II: Requirements 1 and 2
- Analysis of PCI DSS v4.0 – Part III: Requirements 3 and 4
- Analysis of PCI DSS v4.0 – Part IV: Requirements 5 and 6
- Analysis of PCI DSS v4.0 – Part V: Requirements 7, 8 and 9
- Analysis of PCI DSS v4.0 Part VI: Requirements 10 and 11
- Analysis of PCI DSS v4.0 – Part VII: Requirement 12
The first half of 2022 has been quite interesting for the cybersecurity community due to the publication of the standard ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls in February and the release of version 4.0 of the PCI DSS standard in March. In both cases, the goal was to update existing security controls and add new requirements to adapt them to current technological changes and cybersecurity threats.
In the case of PCI DSS v4.0, from PCI Hispano we have prepared a series of articles in which a detailed analysis of the development process of this version of the standard, the changes in the requirements and the adaptation process from version 3.2.1 to version 4.0 will be carried out, among other topics.
History
The Payment Card Industry Data Security Standard (Payment Card Industry Data Security Standard – PCI DSS) arose as a result of the joint work of the main brands of payment cards, which chose to centralize the security controls of their different compliance programs in a single standard that would facilitate the implementation of security measures and the management of card data protection in a homogeneous way, avoiding overlaps, duplications and inconsistencies.
Convergence of the security programs of each of the brands in the PCI DSS standard
This is how in 2004 the first version of the PCI DSS standard was published, which defined the basic principles of cybersecurity for the protection of payment card data that had to be implemented by any entity that processed, stored and / or transmitted such data, mainly merchants and service providers. Later, in 2006, version 1.1 of the standard was published, developed this time by the Payment Card Industry Security Standards Council.PCI SSC), an independent entity made up of major payment card brands and responsible for managing the life cycle of PCI DSS and other standards of the payment media industry.
As affected companies implemented and managed the controls of the standard, PCI SSC began to receive comments and suggestions from different companies and organizations related to the security of means of payment, something that in the long run would end up influencing the publication of the following versions of the standard, incorporating improvements, clarifications and minor corrections based on the feedback provided by the community.
PCI DSS Standard Timeline
In order to manage specific periods in the publication of the PCI DSS standard that would allow the PCI SSC to analyze and incorporate updates in the document based on the experience of the companies with its implementation and the evolution in technologies and threats, it was defined a period of 36 months with eight stages allowing for a gradual and step-by-step introduction of changes. However, this initiative did not last for long due to different external variables that forced to advance or delay the publication of subsequent versions of the standard, including the impact of different SSL and TLS vulnerabilities in the transmission of card data over open public networks and the optimization in the processes of receiving comments by different organizations. In fact, in the development of version 4.0 of the standard, the periods raised in this life cycle were not followed and probably this will not happen with future versions either.
Lifecycle for change management of PCI DSS standard (not currently used)
Development and publication of the PCI DSS v4.0 standard
Version 3.2.1 of PCI DSS was released in May 2018 as a minor version that included some clarifications and revisions to version 3.2, released in April 2016. It could be said that since that year (2016) no substantial changes had been added to the standard, since a balance had been achieved between the level of maturity of the controls and the cybersecurity needs at that time.
However, technological changes in infrastructure linked to the massification of cloud services (cloud), the adoption of container-based platforms, orchestration and microservices and the implementation of development practices such as DevOps, demonstrated the need to adapt the PCI DSS standard to the new times to face the challenges arising from emerging threats against payment card data.
Unlike previous versions of the standard, for the development of PCI DSS version 4.0 the PCI SSC defined a new working model that allowed different organizations related to card payments to actively participate in the review and preparation of the standard and its support documents through feedback periods (Request for Comments (RFC)). For the development of PCI DSS version 4.0, two RFC exercises were executed: one in the last quarter of 2019 (with more than 3,200 comments) and another between September and November 2020. Likewise, at the close of the RFC processes, a draft of the standard was shared exclusively (PCI DSS v4.0 Draft for Stakeholder Preview) with participating organisations (Participating Organizations), qualified security advisers (Qualified Security Assessors) and companies approved to perform vulnerability scans (Approved Scanning Vendors) to give final shape to the version 4.0, which was published at the end of March 2022, following more than 6000 comments received from more than 200 entities.
Although the RFC processes allowed to align the standard to the reality of the entities that must implement the security controls, they also forced the postponement in the publication of version 4.0, initially scheduled for Q2 of 2021, then for Q4 of 2021 and finally published in Q1 of 2022.
Implementation periods of PCI DSS v4.0
Once PCI DSS version 4.0 and the templates of its support documents have been published (Report on Compliance (ROC) and Attestation of Compliance (AOC)), the PCI SSC confirmed the dates during which the two standards would be valid in parallel, the official withdrawal date of the PCI DSS v3.2.1 standard and the date of applicability of controls with a date of entry into force in the future, to allow for proper implementation by the entities concerned:
Implementation periods of PCI DSS v4.0
According to these dates, has been defined a transition period of 24 months since the publication of the PCI DSS v4.0 standard (March 2022) in which the previous version (3.2.1) and version 4.0 will be able to coexist, which implies that the affected organizations can be evaluated with either version indifferently. However, as of 31 March 2024, the only version valid for evaluations will be version 4.0.
Both the translations of the standard and the Self-Assessment Questionnaires will be published in Q2 2022 (Self-Assessment Questionnaires) and Attestation of Compliance (AoC) related.
Main changes in the approach to the standard
Note: Changes related to the requirements of the standard will be discussed in future articles in this series.
During the development process of the version 4.0 According to the PCI DSS standard, the priorities of the PCI SSC were managing the evolution of risks and threats to payment data and strengthening security as an ongoing process. As a result of the application of these criteria, the names of the groups and the requirements of the standard changed between version 3.2.1 and version 4.0, to reflect this evolution in controls and to adapt to changes in technologies:
Changes in the names of the 6 groups of PCI DSS 4.0 requirements
Changes in the names of the 12 requirements of PCI DSS v4.0
On the other hand, version 4.0 incorporates a large number of clarifications in the applicability of the standard that had been waiting for years, so that those ambiguous areas or that gave rise to interpretations have been clarified and there is already an official position on the matter, which previously could not exist or could be present in the Frequently Asked Questions (FAQs).FAQ) of the PCI SSC or in other supporting documents, but not in the standard as such.
Some of these clarifications are:
List of clarifications included in PCI DSS v4.0
However, the most significant change between versions 3.2.1 and 4.0 of PCI DSS is the introduction of the concept of Custom Approach (Customized Approach). Whereas in the traditional approach (now referred to as “Defined Approach” – Defined Approach) the entity implemented the established technical controls as they appeared in the standard, in the Custom Approach the entity can select the control that it considers most adapted to its environment to manage risk, offering greater flexibility and adaptation to emerging solutions. In this way, In the PCI DSS v4.0 standard, an entity can choose between using the Defined Approach or using the Custom Approach depending on its needs.
Description of Defined Approach and Customized Approach in PCI DSS v4.0
Additionally, the PCI SSC has added a large number of graphical aids (flow charts and figures), as well as clarifications in the margin, guides in each of the requirements, templates, examples, etc. that make this version one of the most descriptive and self-explanatory of all those that have been published, although this has involved going from 139 pages in PCI DSS v3.2.1 to 360 pages in PCI DSS v4.0.
Part II of this series will explain the main changes to requirements 1 and 2 of the standard. You can receive notifications of the publication of the following parts of the series on the pages of LinkedIn and in the Twitter by PCI Hispano.
References
- PCI DSS v4.0 At-a-Glance https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf
- Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures Version 4.0 https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
- PCI DSS v4.0 Resource Hub https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub
EN 
ES
Dear Sir, please ask:
Suppose there is a company that requires to certify (recertify) in February 2024, could you certify with PCI DSS 3.2.1? Or would it already be necessary to apply PCI DSS 4.0? On the other hand, there is some modification between the certification requirements (necessary documents) and certification processes (Example: SAQ – AOC VS ROC – AOC?)? Thank you!
Hello Carlos:
In February 2024 an institution could assess its environment in PCI DSS v3.2.1 or 4.0. As of 31 March 2024 it will only be possible to evaluate using version 4.0.
Regarding the validation documents, everything continues exactly as it was done with PCI DSS v3.2.1: Report on Compliance (RoC) and Attestation of Compliance (AoC) for assessments performed by a QSA and Self-Assessment Questionnaires (SAQ) and their corresponding AoC for entities that can report compliance through a self-assessment form. Obviously, these documents have been adapted to the requirements of the PCI DSS standard in version 4.0.
Hi David, first of all thank you for this valuable blog and for sharing all your knowledge.
In relation to the topic of dates, an additional comment. I recently read in Mastercard's Quarterly newsletter that they will accept assessments against v3.2.1 ONLY if these assessments are FINISHED as of March 31, 2024. There is a grace period of 3 more months that is granted for QA (Quality Assurance) issues and other report wrap-up processes.
Do you know anything about it that can confirm or deny the above? I ask you because in my company we are going to start an evaluation cycle in Q4 2023 and we are internally in the discussion of which version we can use.
Some people say that if the assessment STARTS before 31 March 2024 it can be done based on v3.2.1. (regardless of the date on which the assessment ends), but this position differs from what I mentioned above.
Thank you very much!
Hi Jorge:
The answer to your question can be found here: https://pcihispano.com/validez-de-los-reportes-y-evaluaciones-de-cumplimiento-de-pci-dss-v3-2-1/