PCI DSS 4.0 is Finally Here
Posted by: Dan Mengel
Part 1 of the PCI DSS 4.0 Launch Series
The content of this blog is based solely on the PCI Data Security Standard (DSS) version 4.0 and related validation documents and does not incorporate any additional clarification/guidance provided by the PCI Security Standards Council (SSC) after the date of this blog.
It’s finally here! After what seems like forever, the PCI SSC has finally released version 4.0 of the Data Security Standard (DSS) as part of its ongoing mission to protect account data. (Yes, I said account data, not cardholder data, and that’s intentional – read on.) And, as expected, there are some major changes.
Before you panic, though, keep in mind that the prior version we all know and love, version 3.2.1, is still valid and can be used for attestation purposes through March 31, 2024. This gives everyone–merchants, service providers, and assessors alike–plenty of opportunity to study the new standard, determine the best route forward for in-scope environments, and upgrade security programs accordingly. Also, please note that QSAs cannot assess any environment against 4.0 until they have completed “delta” training and an associated exam, provided by the Council, which will not be available until June 2022. (The Council’s latest timeline is available here.) So there is time, but it will fly by quickly. Now is the time to read 4.0 (yes, all 360 pages of it), identify items that you know will be of significant impact to your organization, and get engaged with your trusted QSA Company.
The SSC has added a great deal of content to version 4.0, including:
- A glossary of terms, including detailed definitions of the terms “significant change,” sensitive area,” and “facility”.
- Guidance on scoping and segmentation.
- Guidance on third-party service providers (TPSPs).
- Guidance on sampling (revised from previous versions).
- Specific definitions of timeframe terms (“quarterly”, “annually”, etc.).
Some of this content previously resided in FAQs and supplemental documents; its appearance in the standard itself strengthens its clout as guidance to which entities must conform.
The standard is now very particular in its use of the terms “account data”, “cardholder data” (CHD), and “sensitive authentication data” (SAD). CHD and SAD are both considered account data. Look carefully at each requirement when one of these terms is used; the requirement may be specific to only CHD or SAD or may cover both.
In Part 2 of this blog series, we’ll unpack a radical new way to achieve and maintain compliance – the Customized Approach.
Dan Mengel
Practice Director, Compliance,
GuidePoint Security
Dan Mengel, Practice Director at GuidePoint Security, began his career in the security industry in 2000. He has delivered high-quality consulting services, directly and by leading others, in the areas of information security program architecture, security policy development, and security vulnerability, risk, and compliance assessments. He has developed sales and delivery processes and documentation templates for all of these engagement types. Dan is currently leading GuidePoint’s Compliance team in delivering assessment and advisory services for multiple information security standards. He also has significant prior experience designing and integrating security technology solutions from Cisco, Check Point, Websense, RSA, and others.
Dan earned a Bachelor of Science degree in Computer Information Systems from Goldey-Beacom College and holds several recognized information security industry certifications.