Discussions about PCI DSS v4 became all the rage with the release of the first Request for Comments (RFC) back in 2019, and those discussions have continued. Businesses want to know what impact v4 will have on their current PCI programs and PCI DSS compliance. As the final release of the v4 standard approaches, I thought I would take this opportunity to review what you need to prepare your business.
Here is the latest timeline from the Council regarding the transition from v3.2.1 to v4.
For all of you worry warts out there, the good news is that PCI DSS standard v3.2.1 is not being retired until Q1 2024. So, everyone can breathe easily that v4 will not have a one-year transition as with prior releases. The sad news for Quality Security Assessors (QSAs) is that we likely have organizations that will push that Q1 2024 deadline to the absolute limit.
The PCI Security Standards Council will release V4 in Q1 2022 (most likely very near or even on March 31, 2022). The public will not know what is contained in v4 until that event occurs.
QSAs, Participating Organizations (POs), and Approved Scanning Vendors (ASVs) will get to see a preview of v4 sometime right after New Year's (although just before Christmas would be great so that I can read it over the holiday break). I would suspect that this will be used by the Council to review the DSS before it is issued just in case there are some issues or corrections needed. As with everything to this point, everyone is under an NDA regarding v4, so until it is publicly released, information will be limited to whatever the Council leaks through their blog.
Finally, future dated requirements will not be enforced until Q1 2025, giving organizations plenty of time (three years) to implement those requirements. However, I am sure there will be laggards who go to that limit.
Advice For Merchants
Merchants should have the easiest time transitioning to v4. Why? After all these years and the advent of P2PE/E2EE and tokenization solutions, they should no longer have sensitive authentication data (SAD) or cardholder data (CHD) in their environments. As a result, v4 will have only a minor impact on merchants. Potentially a few new requirements to ensure that CHD is no longer in their environment.
Oh, but you are a merchant that still has SAD/CHD in your environment. Why?
You have no valid business reason to have SAD/CHD in your environment. None!
Now is the time to get it out of your environment because if you think v3.2.1 of the PCI DSS is a pain to deal with, v4 will put you out of business. And that is not a threat. It's a promise. Having SAD/CHD in your environment will make your PCI assessment even more miserable under v4 and possibly even show that your organization is, heaven forbid, non-compliant. You are now on notice that you need to bite that bullet and transition to P2PE/E2EE and tokenization in the next three years. It is time for you to get moving.
Advice For Service Providers
There is very little good news for service providers because you folks are stuck with processing, storing, or transmitting the SAD/CHD or have access such that you can influence the security of those activities. The one bit is that, for the most part, the new version appears to have only a minimal immediate impact. It is those future-dated requirements that are going to be the pain point.
As a reminder, there are two types of service providers, those that directly process, store, or transmit SAD/CHD and service providers that can only influence the security of SAD/CHD. Those distinctions are important based on the risk presented to SAD/CHD. Service providers that could influence the security of SAD/CHD are typically at a lower risk than those service providers that directly process, store, or transmit SAD/CHD.
For service providers that only influence the security of SAD/CHD, you need to admit this fact and assess your organization's compliance with the PCI DSS. Believe it or not, many service providers in this category still do not assess their PCI compliance. They get away with this because organizations and their QSAs do not ask for their PCI Attestation Of Compliance (AOC) or accept the typically lame excuses for why they do not have one or do not have to do one. All of the supply chain attacks of late have changed that, and v4 has taken that issue on by putting pressure on merchants and service providers to understand their service provider supply chains. That pressure will ensure that all service providers are PCI compliant by obtaining their AOC. No excuses! So, all of you service providers in this category, be prepared to be called out, and do not be surprised when your customers tell you that you either comply or they must change vendors. Also, do not be surprised if many of your customers send their QSAs to you to assess your organization – over, and over, and over, and over … well, you get the picture!
For the service providers that directly interact with SAD/CHD, you folks will face all the changes. The good news is that you have at least three years to transition for the future dated requirements. Most of the immediate changes are things you are already doing; the Council has just changed the frequency you do them.
But those future-dated requirements worry QSAs the most because we know how many organizations responded to the changes from v2 to v3 and even v3.1 to v3.2. Organizations waited to get projects going and then ran into delays, which caused compliance issues a year or two later. We want to avoid that situation this time around, so we encourage organizations to read v4 when it is released and determine what changes will be needed as soon as possible to avoid the fire drills and non-compliance issues of the past transitions.
That is all we can tell you for the moment about PCI DSS v4 until it sees the light of day next year.
What you should do for PCI DSS compliance in 2022
Truvantis is available to consult, implement, and manage your PCI compliance program. Whether you're looking for help achieving PCI DSS compliance or need verification by a Qualified Security Assessor (QSA), Truvantis can help. Contact us today.
Principal Security Consultant, Truvantis, Inc.
Jeff Hall is a principal security consultant at Truvantis, Inc. He has over 30 years of technology and compliance project experience. Jeff has done a significant amount of work in financial institutions, health care, manufacturing, and distribution industries, including security assessments, strategic technology planning, and application implementation. Jeff is part of the PCI Dream Team and is the writer of the PCI Guru blog.