The PCI SSC has been working tirelessly over the last two years to deliver Version 4.0 of the PCI Data Security Standard (DSS).
The PCI SSC provides the global payments community with not just peace of mind, but also security and guidance regarding the complex and constantly shifting digital payments landscape. Naturally, the world of digital payments can at times be confusing and disorientating; such is the complex nature of the business.
However, guidance and practical advice put out by the PCI SSC eradicates so much of the uncertainty. Given the success of PCI DSS V3.2, we should welcome and support the new and updated protocol upon its release.
Last year, the SSC completed its rounds of stakeholder feedback concerning the implementation of V4.0. Industry feedback is fundamental to the continued evolution of the Data Security Standard, as each iteration has a broad impact on the PCI global community. With stakeholder feedback now complete, and incorporated into V4.0 validation documents, we can expect a draft copy of PCI DSS to enter the marketplace soon.
The SSC previously declared that due to the “significance” of revision in V4.0, a draft standard and a summary of changes documents would be released to allow stakeholders time to familiarise themselves with the standard before publication. According to the SSC, the draft standard will be available to Participating Organisations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs). The draft is due to be released in the coming weeks.
Source: PCI SSC
Crucially, the SSC have announced that “training for QSAs and ISAs to be able to support PCI DSS V4.0 is targeted for June 2022”. As responsible members of the payments community we absolutely encourage your participation in this round of training. The training provided by the SSC will be unparalleled in its accuracy and reliability. PCI compliance requires a holistic approach – all team members must be well versed in the requirements.
It is also very important to note that once V4.0 comes into effect, V3.2.1 will not become obsolete immediately. The SSC will institute a transition period to accommodate for stakeholder acclimatisation. The transition will allow organisations time to familiarise themselves with the changes in V4.0, update their reporting forms, and plan for and implement the changes required to meet the new standard. According to the council, PCI DSS V3.2.1 will remain active for an 18-month period.
Yet, despite this lengthy transition, CyberCX encourages a swift adoption of the V4.0 standard. The demands of the digital world are constantly changing, and we cannot, with any degree of certainty, claim that future threats to the payments community could be effectively dealt with by an outdated DSS system.