Stillwater Cyber Compliance

PCI DSS 4.0 Release Date: Late 2020

Six specific areas that may change with the credit card data security standards. The areas will focus on security, customized implementation, authentication, encryption, monitoring, and critical control testing methods.

PCI DSS 4.0 release date is projected for November 2020 or moved back into 2021. The standards from version 3 have remained fundamentally unchanged over 10 years. PCI DSS 4.0 will be significant and we wanted to outline the changes that you can expect later this year or 2021.

What Will Change with PCI DSS Version 4.0?

Payment methods are changing, as well as how data is stored and managed. The 4.0 version of PCI DSS addresses these issues and advances in technology.

Six specific areas that may change with the credit card data security standards. The areas will focus on security, customized 

implementation, authentication, encryption, monitoring, and critical control testing methods.

6 Key Changes with PCI DSS 4.0

Here’s a closer look at the main PCI DSS 4.0 changes to plan for:


Flexibility: Customized Implementation to Meet the Intent of Security Controls

This is probably the biggest change that will be addressed with the release of PCI DSS 4.0 in 2020. The 12 requirements will be shifted to focus on the main security objectives:

  • Ensure the standard continues to meet the security needs of the payments industry
  • Add flexibility and support of additional methodologies to achieve security
  •  Promote security as a continuous process
  • Enhance validation methods and procedures

The requirements will be linked to the new customized validation approach. Organizations will be able to choose the controls to perform or opt in with PCI DSS 4.0. A customized implementation can show intent of meeting the requirements without providing operational or technical justification.

Similar compensating controls will allow more flexibility in implementation procedures to meeting requirement intent. External assessors can verify effectiveness by reviewing the documentation. External assessors can then thoroughly test each control with custom implementation.


Security: More Stringent Requirements

PCI DSS continues to ensure sellers safely and securely store, process, and transmit cardholder data. It is fair to assume that PCI DSS 4.0 will set the bar higher and build on the assurance of PCI-DSS v3.2.1. In addition, requirements will be restructured to include stronger security standards. Top management should adjust capital and operational budgets to implement the new requirements.

Authentication: Deeper Focus on NIST MFA/Password Guidance

The PCI SSC consortium with (EMVCO) has been improving authentication standards and controls. Merchants have been growing in use of third-parties or contactless payments. These methods put greater focus on card user and transaction  authorization. PCI DSS 4.0 may focus on the use of  3DS Core Security Standard during transaction authorization. 3DS standards allows organizations to build pluggable authentication options for customers. Pluggable authentication ensure that controls meet the data security regulatory requirements. Pluggable authentication can be scalable to the company’s changing transaction objectives.


                 Protecting cardholder data has become paramount and cyber threats are more prevalent in the industry. One of the biggest threats that will need to be addressed involves the use of malicious code that can penetrate the network. As cardholder data is transmitted, this type of attack can harvest the information. So, we believe that PCI DSS 4.0 will provide guidance and best practices to fully secure network transmissions.


                 There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology is growing rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. The adoption of these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.

Critical Control Testing

                   In previous PCI DSS versions, Designated Entities Supplemental Validation (DESV) requirements were included. The critical control testing frequency and additional controls may also make their way into this new PCI DSS version. The DESV requirements were usually reserved for companies that have experienced a breach. However, the requirements may become compliance standard for all businesses.

PCI DSS 4.0 Takes Effect

A tentative date of November 2020, has been set. However, second quarter of 2021 is more likely. Businesses accepting credit/debit cards, along with companies that manage cardholders’ information must be compliant with PCI DSS 4.0.  There are also dates throughout the year where merchants should be updating their systems and getting ready for compliance audits.

In preparation of PCI DSS 4.0, we recommend that organizations plan for budgetary changes to adapt to the new requirements and additional risk-based security testing. Implementing more significant changes are likely to demand staffing and training efforts as well.