Toggle Menu
Request a demo Contact us Resources

By Craig Moores, SureCloud’s Risk Advisory Practice Director

Compliance professionals around the world are eagerly awaiting more information about the PCI Security Standards Council’s updates to PCI DSS, version 4.0, following the release of its draft for comment in October 2019.


The most common questions

  • What key changes are coming?
  • What is the planned timeline?
  • How can organisations best navigate those changes?


PCI DSS 4.0 draft: Key takeaways



Whilst the 12 high-level requirements are expected to remain largely the same, sub-requirements have been reviewed and re-focused on the security objective or “intent” of each requirement and result in outcome-based statements. The benefit? Organisations can follow a structured approach to demonstrating how their security controls meet the required intent.



The final version of the DSS is expected to focus on addressing the evolving threats to the payment ecosystem, how these threats have changed over time and advancements in technologies, such as next-generation network and endpoint detection – thus far, these appear to have been considered within the draft.



  • Plenty of updated terminology.
  • Changes to the organisation and structure of sub-requirements to provide a more logical approach.
  • More closely aligned with NIST which creates more flexibility within the Standard to help organisations to embed security practices.


Challenges and Opportunities

So, what does all this mean for businesses that need to be compliant?

Keeping abreast of the evolving threat landscape and understanding new technologies are longstanding business challenges which PCI DSS 4.0 is really foregrounding. Greater flexibility and a shift to focusing on intent rather than providing rigid instructions for each security control is a positive move – but one which requires organisations to have a thorough knowledge of the threat landscape and the potential impact of different security controls and processes to their environment.

Organisations must evolve their compliance programmes to accommodate new changes in the DSS and need to ensure that these are integrated and embedded in business processes, rather than disjointed and discrete activities for compliance sake.

However, PCI DSS 4.0 also offers the opportunity to build increased security and risk awareness in order to gain a better understanding of the security posture of their business operations, including how these support the overall business objectives, and to implement security controls which form a more effective security culture.


Where do we go from here?

So far, there has been little information released by the PCI SSC in terms of timelines, with the only communicated dates relating to RFC and a public release anticipated December 2020.


SureCloud’s 3 key tips for organisations:

  1. Watch out for initial releases of the new version of the DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider. The earlier businesses can prepare for change, the better.


  1. Ensure that the scope of the cardholder data environment is accurate; this is the foundation for obtaining and maintaining PCI compliance. Over time, business objectives change and it can be easy to omit systems and services from the scope. Changes to PCI DSS are a great opportunity to review the scope of the CDE and ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.


  1. Assess the impact of any changes in requirements that affect your CDE and how these impact your individual compliance position. From there, businesses can proactively update their compliance programmes – with the help of third parties like SureCloud of course! Remember, with a focus on embedding security, PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE.

I’ll be giving my thoughts on how organisations can achieve a PCI programme that’s aligned to their business objectives at PCI London, or you can watch a more in-depth analysis on SureCloud’s webinar channel.– We hope to “see” you there!

How can we help?