Stakeholders in the payments industry on Thursday released updates for data security standards to address emerging threats and technologies.

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS), which are technical and operational requirements designed to protect account data. 

More than 200 organizations provided feedback to over 6,000 items of feedback, according to a PCI SCC news release

Examples of changes to the PCI DSS v4.0 include:

  • Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
  • Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
  • Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
  • Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.

Version 3.2.1 will remain active for two years to give organizations time to understand the changes, and will ultimately be retired on March 31, 2024. The new requirements become effective March 31, 2025. More details about the updates can be found in the PCI DSS v4.0 Summary of Changes document.

“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, senior vice president and standards officer of PCI SSC, in the new release. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”