We are a Data Security Platform (DSP) that allows organizations to discover, classify, and protect their most sensitive data and documents.
© 2025 DataStealth Inc. All Rights Reserved.
Standards are often force-fed to the industries they govern, but that doesn't seem to be the case with the latest version of the PCI Data Security Council's global Data Security Standard (PCI DSS). According to the council, during the three years, it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.
“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0," says PCI SSC executive director Lance Johnson. "Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”
"We used to think that PCI DSS was a standard enforced onto us one-way, and it was something we could only accept passively," adds Edward Mao, a senior manager in the Information Security and Privacy Governance Department at the Rakuten Group, electronic commerce and online retailing company. "However, it is now something we do with key industry experts actively, creating a standard we believe in.”
Organizations will have two years to digest the new standard and make any changes from the current standard, PCI DSS 3.2.1, which will be retired on March 31, 2024. Key elements in the new standard include:
"One of the problems with crafting regulations or pseudo-regulations, like PCI-DSS, is that technology changes and what was once a meaningful security control ceased to be one," says John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations company. "Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis, so the regulations needed to be changed."
Alex Ondrick, director of security operations at BreachQuest, an incident response company, maintained that PCI DSS v4.0 is built for a zero-trust mindset. "It allows organizations increased flexibility to build and tailor authentication solutions to fit their requirements," he says. "Arguably, the most important addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts that have access to cardholder data. Although this is technically a best practice until March 31, 2024, it is a significant step toward securing systems and accounts which are accessing cardholder data."
While organizations may be looking forward to the additional breathing room given to them by the customization and flexibility provisions in the new standard, Dan Stocker, director of Coalfire, a provider of cybersecurity advisory services, offers a note of caution. "Organizations will want to carefully consider their risk management options under DSS 4.0, especially where they are on the technology leading edge. The customized approach will give them great power but require a mature appraisal of the risk in deviating from the defined approach," he says. "Likewise, where requirements allow flexible implementation, a targeted risk analysis will be required."
The Post "New PCI DSS v4.0 Receives Kudos For Flexibility" was first posted on CSO Online authored by John Mello.