The PCI Security Standards Council (PCI SSC) recently announced the release of version 4.0 of the PCI Data Security Standard (PCI DSS). The standard is a baseline level of network security for businesses that accept card payments, including e-commerce merchants. The new version replaces PCI DSS 3.2.1, which will remain active until March 31, 2024, to give merchants time to understand and implement changes.
Merchants can refer to the PCI DSS v4.0 Summary of Changes document for a comprehensive understanding of the requirements of the new version. In addition to more ways for organizations to demonstrate how they are achieving security objectives and updated firewall terminology, the new version also has stronger requirements around the use of multi-factor authentication (MFA). Strong Customer Authentication rules that were part of PSD2 in Europe, which included MFA, experienced significant delays in implementation in the U.K., but eventually came into force.
The PCI SSC hopes that will not be the case here, with plenty of lead time and industry participation in the development and rollout of version 4.0.
“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” said Lance Johnson, executive director of PCI SSC. “Our stakeholders provided substantial, insightful, and diverse input that helped the Council effectively advance the development of this version of the PCI Data Security Standard.”