PCI DSS v4.0 is the most substantial update made to the Standard in the 17 years since the release of PCI DSS v1.0 in 2004. At first glance, organizations will notice several significant changes introduced by PCI DSS v4.0. While v4.0 doesn’t alter the fundamental structure of the Data Security Standard, and it still has the familiar Control Objectives and 12 Key Requirements introduced in 2006, the new version reflects evolving objectives and requirements. This includes wording changes, updates to existing requirements, several new requirements and future-dated requirements.
Historic PCI DSS release timeline
PCI DSS v4.0 is the 10th edition of the PCI Standard. With the release of PCI DSS v4.0 in March 2022, it is nearly nine years since the last major update (v3.0) and four years since the interim update in 2018 (v3.2.1), which made minor changes to the Standard.
These updates reflect significant changes within the payment card industry and account for risks in an increasingly complex, ever-changing threat landscape. In this technological sea change, PCI DSS v4.0 provides new navigation points to help organizations achieve sustainable control effectiveness across control and compliance environments.
PCI DSS v4.0 specifically supports the use of key technologies, including cloud and serverless computing. Organizations that currently apply compensating controls to meet DSS requirements may benefit from determining whether the new PCI DSS customized implementation method is suitable for their specific security needs.
The updated PCI Standard also introduces more flexibility into the wording of the requirements and adds intent statements. On pages 46, 48 and 52, we explore the three most significant updates in PCI DSS v4.0, which are continuous compliance, customized controls and control environments.
In summary, the most significant reasons why the PCI DSS was updated are to:
- Ensure that the Data Security Standard continues to meet the security needs of the payments industry
- Create flexibility and support of additional methodologies to achieve security
- Address ongoing technology developments in payment systems, mobile, cloud, etc.
- Address ongoing changes in the threat landscape, such as improving protocols and methods associated with validation
- Promote security and compliance as an ongoing process
PCI DSS release timeline
Prior to PCI DSS v4.0, the longest duration between releases of updates to the PCI DSS was version v2.0 in October 2010 and the release of PCI DSS v3.0 in November 2013.
Release
Version
Pages
2004
December
1.0
12
2006
September
1.1
17
2008
October
1.2
73
2009
July
1.2.1
74
2010
October
2.0
75
2013
November
3.0
112
2015
April
3.1
115
2016
April
3.2
139
2018
May
3.2.1
139
2022
March
4.0
360
Requirements: The security and compliance hull
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- Charting the best strategic method for your organization
- Optimizing limited resources by strengthening the weakest link
- Goals: The security and compliance rudder
- The Security Management Canvas
- Requirements: The security and compliance hull
- Preparing for PCI DSS v4.0
- Enhanced Validation Methods and Procedures
- Continuous monitoring internal assessments and validation
- The three stages of PCI DSS compliance program failure
- PCI DSS v4.0 Navigational Points
- Constraints the Security and Compliance Shoal
- 7 Constraints of Organizational Proficiency (the 7 Cs)
- The Five Focusing Steps in Brief
- The State of Compliance
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank You.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.