1-877-297-7816
Contact Sales

Requirements: The security and compliance hull

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • PCI DSS v4.0 is the most substantial update made to the Standard in the 17 years since the release of PCI DSS v1.0 in 2004. At first glance, organizations will notice several significant changes introduced by PCI DSS v4.0. While v4.0 doesn’t alter the fundamental structure of the Data Security Standard, and it still has the familiar Control Objectives and 12 Key Requirements introduced in 2006, the new version reflects evolving objectives and requirements. This includes wording changes, updates to existing requirements, several new requirements and future-dated requirements.

    Historic PCI DSS release timeline

    PCI DSS v4.0 is the 10th edition of the PCI Standard. With the release of PCI DSS v4.0 in March 2022, it is nearly nine years since the last major update (v3.0) and four years since the interim update in 2018 (v3.2.1), which made minor changes to the Standard.

    These updates reflect significant changes within the payment card industry and account for risks in an increasingly complex, ever-changing threat landscape. In this technological sea change, PCI DSS v4.0 provides new navigation points to help organizations achieve sustainable control effectiveness across control and compliance environments.

    PCI DSS v4.0 specifically supports the use of key technologies, including cloud and serverless computing. Organizations that currently apply compensating controls to meet DSS requirements may benefit from determining whether the new PCI DSS customized implementation method is suitable for their specific security needs.

    The updated PCI Standard also introduces more flexibility into the wording of the requirements and adds intent statements. On pages 46, 48 and 52, we explore the three most significant updates in PCI DSS v4.0, which are continuous compliance, customized controls and control environments.

    In summary, the most significant reasons why the PCI DSS was updated are to:

    • Ensure that the Data Security Standard continues to meet the security needs of the payments industry
    • Create flexibility and support of additional methodologies to achieve security
    • Address ongoing technology developments in payment systems, mobile, cloud, etc.
    • Address ongoing changes in the threat landscape, such as improving protocols and methods associated with validation
    • Promote security and compliance as an ongoing process

  • PCI DSS release timeline

    Prior to PCI DSS v4.0, the longest duration between releases of updates to the PCI DSS was version v2.0 in October 2010 and the release of PCI DSS v3.0 in November 2013.

    Release

    Version

    Pages

    2004

    December

    1.0

    12

    2006

    September

    1.1

    17

    2008

    October

    1.2

    73

    2009

    July

    1.2.1

    74

    2010

    October

    2.0

    75

    2013

    November

    3.0

    112

    2015

    April

    3.1

    115

    2016

    April

    3.2

    139

    2018

    May

    3.2.1

    139

    2022

    March

    4.0

    360

  • This revision of the Standard is considered so significant that between 2019 and mid-2021, the PCI SSC fielded an unprecedented amount of feedback from participating organizations and assessors on the PCI DSS 4.0 draft. For past revisions of PCI DSS, formal feedback opportunities for the participating payment card community were limited to a single period. For PCI DSS v4.0, the PCI SSC expanded the feedback opportunities to maximize collaboration and stakeholder involvement in updating the Standard.43