Close Widget

Craig Moores, SureCloud’s Risk Advisory Practice Director

PCI 4.0 won’t be about for another year

PCI 4.0, the latest data security standard for credit cards won’t be around until 2021 and further to our last update, not a great deal of information has been coming out of the PCI Security Standards Council (SSC) regarding PCI DSS v4.0 – until the most recent all assessor webinar.

Indications are that v4.0 of the DSS (Data Security Standard) won’t be out in the wild for at least another 12 months. With a further request for change (RFC) expected later this year; following incorporation of feedback to the working draft of the DSS following the first RFC during late 2019.

Feedback directed mainly at the DSS itself

The PCI SSC is expected to remain largely tight-lipped on the feedback to be incorporated; however, they did share some statistics around the feedback received from the first RFC:

  • There was over 3000 comments on the DSS draft, provided by a little over 150 organisations.
  • Unsurprisingly, the majority of the feedback was directed at the DSS itself rather than the two supporting documents issued as part of the RFC (these focused on information relating to proposed customised validations).
  • Most feedback was provided by the US and Europe regions.
  • Again, unsurprising but most of the feedback related to areas of the DSS with more significant changes to requirements including cryptography, access controls and governance.

Don’t make business changes until the final PCI 4.0 release

The next steps from the SSC are really to review and consider all of the feedback, and prepare a summary to those organisations who provided comments. From there, the SSC will likely issue a further RFC later in 2020 to provide QSA, ASV and participating organisations a further opportunity to add any comments before considering a public draft.

There is likely to be a period of transition to the new DSS, which will provide organisations with plenty of time to prepare for any necessary changes. Due to the timelines indicated, the PCI SSC stressed the importance for organisations to wait for the final release of PCI DSS v4.0 before making any changes to business processes in response to the proposed changes to the Standard. At present, they are exactly that… proposed changes.


What can organisations be doing now?

As in previous blogs, my first piece of advice was for organisations to watch out for initial releases of the new version of the DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider.

As such, organisations should ensure that the scope of their cardholder data environment (CDE) is accurate; this is the foundation for obtaining and maintaining PCI compliance. Remember – over time, business objectives change, and it can be easy to omit systems and services from the scope of PCI compliance. Whilst we’re still a little way from any new versions of the DSS, these can provide a great opportunity to review the scope of the CDE. Ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.

Finally, businesses should proactively update their compliance programmes with a focus on embedding security into the operations of an organisation – PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE so its important to keep an eye on information coming out of the SSC.

Moving forwards…

As new information is sent out by the SSC we’ll be letting you know as much as we can so please stay subscribed to keep up to date. Fill in the pop up form in the left hand corner to not miss an alert!

In the meantime – during this unique uncertain time

The PCI SSC Guidance for Remote Assessments and the Coronavirus

In light of the evolving global position with regards to the Coronavirus (COVID-19), the PCI SSC has published guidance for QSA Companies, PCI Participating Organisations, Merchants and Service Providers regarding its position on conducting PCI assessments remotely. As a SureCloud blog reader with an interest in PCI, I wanted to provide you with a link to the article and provide assurance that SureCloud has reviewed its assessment approach in line with this guidance to allow it to continue delivering PCI consultancy and assessment services during this period of uncertainty.

If you have any questions or would like to discuss further, please feel free to email me directly

About Craig

Craig is responsible for SureCloud’s Risk Advisory Practice including engagement scoping, consultancy delivery and client relationships. Craig has experience in leading and delivering complex cyber security solutions aligned to strategic business objectives. Craig has broad cyber security experience including a strong technical, software development and project management background, with particular strengths in the areas of information risk management, PCI DSS, strategic planning and business auditing.

About SureCloud

SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.


PCI Security Standards Council

SureCloud has now been approved as a Qualified Security Assessor (QSA) Company by the Payment Card Industry (PCI) Security Standard Council (SSC).

How can we help?