PCI DSS 4.0 is slated to be released at the end of 2020, but will you be ready? The 12 core requirements of v3.2.1 are not going away. However, v4.0 will change requirements from focusing on the security controls implemented to focusing on the outcomes intended by using the security controls.
PCI DSS Version 4.0 also introduces a new method of validating security controls that improves flexibility and security by allowing businesses to select other controls that might not be indicated in the PCI DSS. These new controls must meet the evolving threat landscape with new technologies that are more effective forms of cyber defense.
RSI Security is staffed with highly qualified cybersecurity professionals with many years of experience as a Qualified Security Assessor and an Approved Scanning Vendor. We have our fingers on the pulse of the market and keep up to date with cutting edge technologies.
Whether you are using the prescribed security controls in the PCI DSS v4.0 or are going above and beyond with new methodologies and technologies, RSI Security is a best-in-class PCI service provider and has the expertise you need to validate your controls and achieve compliance.
Contact RSI Security today for a consultation!
The Security Standards Council states that the PCI DSS 4.0 will not be ready for release until the end of 2020 at the earliest.
According to the PCI DSS Lifecycle, it will take 24 months from the first release of PCI DSS 4.0 for it to become absolutely mandatory. However, it may benefit some stakeholders to begin implementation right away upon the PCI DSS 4.0 release. https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf
4.0 will still have the 12 standards in 3.2.1, but with added flexibility. 4.0 will allow you to use new controls and methodologies that are better able to counter the emerging threat landscape. You will be able to choose from the old PCI DSS-defined implementation and the new customized implementation based on the latest controls and methodologies. The old requirements are not going away. You will simply be able to choose better methods and controls that the PCI DSS hasn’t identified yet. You will be able to use either the old assessment or the new assessment method in the context of the same assessment, thus applying the new technology wherever it may be applied. Security will now be promoted as a continuous process to be achieved at all times, not just for initial compliance certification and subsequent scans.
It is likely the 4.0 will implement multi-factor authentication/password guidance for increased security as hackers become more sophisticated. There may be more widespread use of encryption of cardholder data even on trusted networks. There will likely be increased monitoring requirements to keep pace with technological advancements in that area. It is highly likely that testing of critical controls will be conducted with greater frequency, thus supporting the new ideal of security as a continuous process instead of an instance of compliance.
A customized implementation would be used when you are a risk-mature organization with a robust risk-management process and you want to use better controls and methodologies than stated in the PCI DSS. The requirements are not going away, and you will have to prove that what you want to use in lieu of the specified controls does a better job of thwarting attackers and securing CHD. But if you can prove that, you now have the flexibility to demonstrate how their security controls meet the objectives of the PCI DSS assessment.
Compensating controls are not going away. You can either use the ones in the PCI DSS precisely as they are prescribed or use something better, but you do have the flexibility to implement state-of-the-art technologies as they emerge, thus enabling you to stay one step ahead of the hackers.
Start taking steps now to ensure your PCI DSS Compliance is up-to-date and avoid costly data-breach-related litigation and damage to business reputation.