From the desk of Andrew Deer, CISSP CISM CISA QSA PCIP
For this edition’s From the Desk section, we are delighted to have one of our Senior Security Consultants write an article for us about PCI DSS 4.0 – the latest edition of the compliance, which will be released sometime midyear.
With a third RFC for PCI DSS version 4 now being scheduled for June 2021, the completion date for PCI DSS v4.0 has been pushed back to Q4 2021. The publication and release of the standard will occur sometime after that, with a release date yet to be announced.
RFCs for the version 4 Report on Compliance (ROC), Self Assessment Questionnaires (SAQs) and Attestation of Compliance (AOC) documents are planned to take place in June 2021. It’s likely to be early 2022 before the first assessments using PCI DSS v4 takes place.
As with all new versions of the standard, there will be a period of transition where an organisation may assess using the old version of the standard rather than the new one. Organisations may choose to certify against the older version of the standard while transitioning their existing controls to meet the new requirements.
One of the main changes for v4 is likely to increase flexibility for organisations to meet the PCI DSS requirements. PCI DSS has traditionally been a very prescriptive standard. Still, the new standard is expected to introduce a more risk-based approach for meeting the requirements for organisations that wish to do so. Think of it as an expansion of the compensating control mechanism. The onus to prove the effectiveness and efficacy of the chosen control in addressing the risk identified with the requirement will be upon the organisation, so this is unlikely to be an easy path to certification. This flexibility, however, is likely to be welcome for larger organisations that have the resources to define and measure the effectiveness of these controls.
More will be known later in the year. PCI DSS v3.5.1 will remain in use for at least the next two years for valid assessments, however with security a constant moving target, organisations should not be looking at the next two years as business as usual. Evolving security threats over that time will see increased risk to organisations who do so.
To keep up with changes to the PCI DSS standard and other payment standard information, you may wish to follow the PCI SSC PCI Perspectives blog: PCI Perspectives.
Lastly, here’s a fun fact: Did you know that Vectra Corporation was the very first Australian company to be certified as a QSA Company (QSAC) by the PCI Security Standards Council when it was formed in 2006? With this being said, our clients are guaranteed to receive only the best compliance process support with us here at Vectra. So if you are needing assistance on becoming PCI DSS compliant, click here to contact a representative.