Menu Close

21st January 2020

Rob Treacey offers insight on the latest PCI-DSS Standard developments

Rob Treacey, MD, Technology Risk Management, and Antony Tuttle, Senior Consultant and QSA at Xcina Consulting, a Shearwater Group plc company, offer their insights on the latest PCI-DSS Standard developments

The second half of every year sees the Payment Card Industry Data Security Standard’s (PCI-DSS) Security Standards Council (SSC) run its annual Community meetings, with events in North America, Europe and Asia-Pacific. This is also the time of year when the SSC releases information about any changes to the PCI-DSS Standard, and sets the direction and focus for the following year.

If you’re involved in the payment security space and haven’t been to a local meeting, I would strongly recommend you consider it – it’s a great opportunity to connect with representatives from the card brands, banks, vendors and Qualified Security Assessor Companies (QSAC) like Xcina Consulting.

At last year’s European Community Meeting, it was announced there was likely to be significant change to the PCI-DSS (which would take the Standard up to version 4.0), and there was a lot of anticipation about exactly where those changes might be made. Now that the 2019 Community Meetings have kicked off (the North American Meeting took place in Vancouver on 17-19 September, and the European Meeting on 22-24 October in Dublin), we have a little more information on the direction the SSC is taking and when first drafts might be released.

The following are some of the more significant teasers coming out of the North America Community Meeting:

The requirement to encrypt Cardholder Data (CHD) has been extended to now include trusted networks (eg, you were previously permitted to transmit unencrypted cardholder information within your corporate network).

The successor to the Payment Application Data Security Standard (PA-DSS), the Software Security Framework (SFF), now includes a Secure Software Lifecycle component that enables organisations to have their software development lifecycle certified. This means that the development process does not have to be reassessed with each minor change and can instead have a full assessment every three years.

Arguably the most significant news will be the potential movement to a more objective-based Standard. In practice, this will see two versions of the Standard becoming available: the defined approach, where the Standard exists much as it does today; and the option for the organisation to adopt a customised approach. The new customised approach might allow organisations to design their own controls and then implement them to meet the intent of the PCI-DSS requirements.

We will need to see exactly how these approaches work in practice, as introducing too much flexibility might also introduce inconsistencies in how organisations design and implement their own controls. In addition, as the determination of whether the implementation is compliant will sit with the QSA, this may add further inconsistencies – all the more reason to ensure you choose the right QSAC.

As the changes to version 4.0 are so significant, the SSC has confirmed that there will be two requests for comment (RFC) periods before the new version is released – that release is currently scheduled for late 2020. As with other version changes, it has also been confirmed that some requirements will be forward-dated (ie, they will not come into force or become mandatory until a later date), but the actual number and timing for these has not yet been released.

Also seen in Computing Security Magazine

If you have specific PCI-DSS questions or queries, contact Xcina Consulting at