What Has Changed In Pci Dss In The Last Two Years

To follow up on an earlier advice, PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents.

Due to the significance of this revision, a preview of the draft standard will be provided to Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) prior to being finalized for publication. The intent of the preview period is to let stakeholders additional fourth dimension to familiarize themselves with version 4.0 of the standard before it is officially launched.

The preview for Participating Organizations, QSAs, and ASVs is scheduled for Jan 2022 and will include PCI DSS v4.0 draft and a Summary of Changes document. The final versions of the standard, together with validation documents and the get-go phase of translations of the standard, are scheduled for formal release in March 2022.

The RFC Feedback Summaries from the two well-nigh contempo RFCs—the PCI DSS v4.0 Draft v0.2 (2020) and the PCI DSS v4.0 Validation Documents (2021)—will also be available to RFC participants in March 2022.

Grooming for QSAs and ISAs to exist able to support PCI DSS v4.0 is targeted for June 2022.

Included below is an overview of the updated timeline for the PCI DSS v4.0 development effort, including the additional RFC for validation documents, the preview period for PCI SSC stakeholders, and the planned public release of the PCI DSS v4.0 standard, validation documents, and other supporting materials.

Development

Transition Menstruum
The updated timeline still includes a transition menstruum for organizations to update from PCI DSS v3.2.1 to PCI DSS v4.0. To support this transition, PCI DSS v3.2.ane volition remain agile for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.

This transition period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition menses, PCI DSS v3.2.i will exist retired and v4.0 will go the only active version of the standard.

Hereafter-Dated Requirements
In add-on to the transition period when v3.ii.1 and v4.0 will both be agile, there will be an extra period of time divers for phasing in new requirements that are identified as "future-dated" in v4.0.

In PCI DSS, new requirements are sometimes designated with a futurity date to requite organizations additional time to complete their implementations. Requirements that are future dated are considered as best practices until the time to come date is reached. During this time, organizations are non required to validate to future-dated requirements. While validation is not required, organizations that have implemented controls to come across the new requirements and are ready to take the controls assessed prior to the stated time to come date are encouraged to exercise so. Once the designated time to come date is reached, all hereafter-dated requirements become effective and applicable.

We anticipate that PCI DSS v4.0 will contain a number of new requirements that may be future dated; yet, we won't know the verbal number until the standard is finalized.

While the effective hereafter date for these new requirements volition not exist confirmed until PCI DSS v4.0 is set for publication, it will provide enough time for organizations to plan and implement new security controls and processes as needed to come across all the new requirements. The future date will be dependent on the overall impact that the new requirements will have on implementing controls in the standard. Based on the electric current draft, the future engagement is expected to extend beyond the planned transition period, with a possible futurity engagement existence between 2½ – 3 years later on PCI DSS v4.0 is published.

An overview of the planned transition timeline and potential timing for time to come-dated requirements is shown beneath.

Transition2

The Council will provide additional data on the PCI DSS v4.0 progress throughout the year. Subscribe to the PCI Perspectives blog to stay up to date on the progress of PCI DSS v4.0.

Subscribe to the Blog