Data Security, Risk Assessments/Management, Compliance Management, Governance, Risk and Compliance

Council updates data security standards for payments industry

The PCI Standards Security Council released version 4.0 of the PCI Data Security Standard on Thursday. Pictured: Guests tap to pay using contactless cards during the Visa ID Intelligence launch party at Money 20/20 on Oct. 23, 2017, in Las Vegas. (Photo by Isaac Brekken/Getty Images for VISA Inc)

Stakeholders in the payments industry on Thursday released updates for data security standards to address emerging threats and technologies.

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS), which are technical and operational requirements designed to protect account data. 

More than 200 organizations provided feedback to over 6,000 items of feedback, according to a PCI SCC news release

Examples of changes to the PCI DSS v4.0 include:

  • Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
  • Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
  • Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
  • Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.

Version 3.2.1 will remain active for two years to give organizations time to understand the changes, and will ultimately be retired on March 31, 2024. The new requirements become effective March 31, 2025. More details about the updates can be found in the PCI DSS v4.0 Summary of Changes document.

“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, senior vice president and standards officer of PCI SSC, in the new release. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.