PCI DSS Update
Transition Period The updated timeline still includes a transition period for organizations to update from PCI DSS v3.2.1 to PCI DSS v4.0. To support this transition, PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.
This transition period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
Future-Dated Requirements In addition to the transition period when v3.2.1 and v4.0 will both be active, there will be an extra period of time defined for phasing in new requirements that are identified as “future-dated” in v4.0.
In PCI DSS, new requirements are sometimes designated with a future date to give organizations additional time to complete their implementations. Requirements that are future dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements. While validation is not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.
We anticipate that PCI DSS v4.0 will contain a number of new requirements that may be future dated; however, we won’t know the exact number until the standard is finalized.
While the effective future date for these new requirements will not be confirmed until PCI DSS v4.0 is ready for publication, it will provide enough time for organizations to plan and implement new security controls and processes as needed to meet all the new requirements. The future date will be dependent on the overall impact that the new requirements will have on implementing controls in the standard. Based on the current draft, the future date is expected to extend beyond the planned transition period, with a possible future date being between 2½ – 3 years after PCI DSS v4.0 is published.
Account data includes:
- Primary account numbers (PANs)
- Cardholder names
- Card expiration dates
- Service codes
- Magnetic-stripe or chip data
- Card verification codes
- PINs and PIN blocks
PCI DSS 4.0 comprises 12 requirements, organized into six categories:
- Secure networks and systems:Implement and maintain network security controls.Securely configure all system components.
- Protect sensitive data:Secure stored account data.Use strong cryptography to protect cardholder data during transmission over public and open networks.
- Have a vulnerability management program:Keep systems and networks protected against malware. Maintain the security of all developed systems and software.
- Implement access control:Follow the “need to know” principle for access to system assets and cardholder data.Use proper identification and authentication measures when granting access to system components Limit physical access to cardholder data
- Test and monitor networks on an ongoing basis:Monitor and log access to cardholder data and system components.Perform regular security tests on all systems and networks.
- Establish and follow an information security policy:Implement official policies and programs to support security goals within the organization.
- PCI Compliance Kiosk(Opens in a new browser tab)
- PCI Compliance Kiosk & EMV Compliance(Opens in a new browser tab)
- PCI EMV Committee(Opens in a new browser tab)
- US retailers fear they’ll miss EMV deadline(Opens in a new browser tab)
- Kiosk Manufacturer Association Joins PCI SSC as Participating Organization(Opens in a new browser tab)