Version 4.0 of PCI DSS was released in March 2022. The PCI Security Standards Council is already actively working on version 5.0. What is known about this new version?

The Accelerated Income Act Ray Kurzweil tells us that technological advances develop according to an exponential curve whose slope increases more and more, which implies that the speed of technological change increases with respect to the immediately preceding time interval. Something similar is exposed in the Moore's Law, but in the context of semiconductors.

As can be assumed, technological progress implies changes in risks: new threats, new vulnerabilities, more specialized attackers, etc. For this reason, the security controls implemented in an entity should be reviewed periodically to avoid blind spots derived from new technologies. As already discussed in PCI Hispano, the PCI DSS standard (or any other security standard) is nothing more than a list of physical, logical and administrative controls aimed at protecting a particular type of data. New technology implies new controls (or improved controls) and this, in turn, implies an update of the standards that contain them.

For that reason, the Payment Card Industry Security Standards Council (PCI SSC) is already working on new versions of its standards, 2026 and 2027 are therefore expected to be quite active years in this regard.

Potential changes to be included in PCI DSS v5.0

As a novelty in its annual operation, the PCI SSC published its first report 2025, in which the main activities carried out during that year are detailed, including the publication of content, standards and general statistics, among others. In that document some of the actions that the Council will execute over these years were advanced, offering brushstrokes on the future of the ecosystem of standards of means of payment, topics that had already been reported in the Community Meetings 2024 and 2025, including the reorganisation of all standards into seven (7) categories: Data & Environment, Mobile, Device, P2PE, Key Management, Software y Card.

In the particular case of PCI DSS, the intention is to group this standard into the category Data & Environment, with several surprises:

  • It will be a major version change, therefore substantial changes are expected in the standard, not so much in its controls but in its organisation and definition of scope.
  • A new standard is being developed to be called Environmental Security Standard (ESS).
  • It is being evaluated the possibility of integrating PCI DSS with PCI 3DS and, potentially, with PCI Token Service Provider (PCI TSP). We must remember that currently Part 1 of PCI 3DS can be approved if the entity complies with PCI DSS, so many of the controls applicable to PCI DSS environments can also be implemented in PCI 3DS environments; Therefore, it makes perfect sense to integrate PCI 3DS as an annex to PCI DSS, for example. As for PCI TSP, oriented to the management of EMV Tokenization, the environment where the PAN/token pair (data vault) is stored must also comply with PCI DSS, so it might be feasible to integrate controls for the protection of tokenization environments in PCI DSS.
  • Finally, if these standards are integrated, the natural result of such integration is the creation of a common programme, so the PCI DSS compliance program could be updated, as well as trainings for QSA and ISA advisors.

On the other hand, as for changes to the PCI DSS standard itself, it is known that the focus will be on the following points:

  • Aligned with what is described above, it is proposed extend the scope of PCI DSS security beyond PAN protection.
  • Provide flexibility to apply risk-based safety criteria. This is already something that the PCI SSC has tried in the past, in order not to force entities to adapt their environment to a security solution, but it is the security solution that adapts to the environment to be protected based on the identified risk. Examples of this can be found in the changes introduced in PCI DSS v4.0, in requirement 5 related to antimalware.
  • Distinguish between environments simple y complexes to facilitate the implementation and evaluation of controls.
  • Define the real impact of using PCI SSC validated solutions in DSS environments. This has been demanded for years, especially to provide added value to the use of standards such as PCI SSS or PCI Secure SLC.
  • Optimize and modernize validation documents.

Other changes related to improvements in the applicability criterion of the customised approach and compensatory controls may also be part of this new version.

A preliminary version of PCI DSS v5.0 is expected to be released for comment (Request For Comments – RFC) at the end of 2026. In the meantime, control mapping guides will be published (Control Mapping) of PCI DSS with DORA and NIST CSF II.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply