After 3 years and 6,000+ feedback items from more than 200 organizations (including our own participation in the process), PCI DSS 4.0 has finally been released. There were 4 goals in the development of version 4.0:
- Continue to meet the security need of the payment industry
- Promote security as a continuous process
- Add flexibility for different methodologies
- Enhance validation methods
With the release of PCI DSS 4.0, there are a couple of revised dates to keep in mind. Version 3.2.1 of the standard will remain active until the 31st of March, 2024, after which it will be retired. And any future-dated new requirements will become effective on the 31st of March, 2025.
PCI DSS 4.0 also brings about two approaches for implementing and validating the requirements. There is the Defined Approach and the Customized Approach.
As per the standard, the Defined Approach “Follows the traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard.” What remains as part of this approach is Compensating Controls. Again, as stated in the new standard, “As part of the defined approach, entities that cannot meet a PCI DSS requirement explicitly as stated due to a legitimate and documented technical or business constraint may implement other, or compensating controls, that sufficiently mitigate the risk associated with the requirement.”
Where things really change up is the Customized Approach. This approach was designed to support innovations in cyber security and allow flexibility in showing how an entity’s security controls meet a PCI DSS objective. It’s suited for risk-mature companies that account for the new approach. The Customized Approach, according to the standard, “Focuses on the Objective of each PCI DSS requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.”
You can have a mix of the <