With March 31, 2025 as a target destination, managed security service providers and enterprises from across the digital commerce chain are taking a measured approach to implementing PCI DSS version 4.0.
With March 31, 2025 as a target destination, managed security service providers and enterprises from across the digital commerce chain are taking a measured approach to implementing PCI DSS version 4.0, exactly as the PCI Security Standards Council (PCI SSC) intended.
As a journalist following the Payment Card Industry Data Security Standard (PCI DSS) journey, I’m impressed by v4.0 and recently discussed its new features with Emma Sutcliffe, senior vice president, standards officer at the PCI SSC and Gary Glover, CISSP, CISA, QSA, PA-QSA, and Director of Security Assessment at SecurityMetrics. The following are highlights from both interviews.
Sutcliffe noted the Council provides a two-year migration runway to PCI DSS 4.0, that extends from March 2022 to March 2024, "to give organizations time to thoroughly familiarize themselves with the changes and update processes, technologies and methods to meet security objectives."
Glover agreed the two-year runway will benefit organizations of all types and sizes. “We’re encouraging clients and partners to get familiar with the new requirements,” he said. “Work with a Qualified Security Assessor (QSA), don’t panic and don’t wait until the last minute.”
Sutcliffe also noted that PCI DSS version 4.0 offers stakeholders a tailored approach to implementation. Mature organizations have more flexibility in how they analyze risk, she noted, and other organizations that prefer to follow clear and succinct guidelines can take that approach as well.
Glover doesn’t expect the flexible approach to have much impact on small and midsize companies and security teams. “Customized approaches will be mainly handled by very experienced QSAs working in person with customers and will require a lot of work,” he said. “I expect very few of our clients, even at the enterprise level, to make use of it. The lion’s share of compliance in the industry will remain very similar to PCI DSS v3.2.1.”
Requirement 8 in PCI DSS 4.0 focuses on multifactor authentication (MFA), which Glover indicated is top of mind among SecurityMetrics partners and clients. Going forward, MFA will be required for all accesses, both internal and external, to the cardholder data environment, which will apply to servers, firewalls and networking gear. And the factors that are used for authentication must not reveal any information about which factor might have been wrong if authentication fails.
“Clients are pretty good with MFA now, and just need to expand to internal uses as well,” Glover said. “MFA service providers may need to make additional changes to ensure that both factors are requested before giving any feedback to an end-user, and this change will need to happen by 2025.”
Glover has participated in the PCI SSC’s North American and European community meetings and has seen growing engagement and comradery among participants, which has fostered a feeling of trust in the security community. For example, Payment Application Qualified Security Assessors were shown a draft of the Strategic Software Framework and asked to comment, he said, and encouraged to participate in PCI DSS 4.0 discussions.
“We participated in all of the RFD sessions for the PCI DSS, not any of the others.” Glover said. “We provided feedback and comments on all RFP’s and served on the PCI DSS Global Executive Assessor Roundtable council, providing inputs directly to the council from that forum as well.”
Glover is excited to see PCI DSS v.4.0 achieve lift-off and continues to share his insights in blog posts, webinars and media interviews. Follow him on LinkedIn and stay tuned for more updates.
Dale S. Laszig, managing director, DSL Direct, is a payments industry journalist and content strategist. Follow her on LinkedIn at https://www.linkedin.com/in/dalelaszig/and @DSLdirect on Twitter.
.svg)
