• Andy Soodek, Tim Sutton
  • Published: 16 May 2022


On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) released the Payment Card Industry Data Security Standard (PCI DSS) v4.0.

In the four years since v3.2.1 of the standard was released, the rise of low-cost and powerful cloud computing, combined with a move to remote ways of working, has enabled the rapid migration to the cloud for most organizations. While cloud computing has solved many of the world’s problems associated with legacy IT, new threats and risks continue to emerge. CIOs and CISOs have transferred the responsibility of administering and protecting physical infrastructure to their cloud service providers. Where PCI DSS v3.2.1 defines stringent requirements for protection of the physical assets that comprise cardholder data handling environment, version 4.0 updates, the framework to account for these new computing realities.

To develop the new version of the standard, the PCI SSC worked with more than 200 industry participants – generating over 6,000 pieces of feedback, ensuring the standard reflected the technologies and security concerns of the modern payment ecosystem. Primary security highlights from the new standard, v4.0, include:

  • Emphasis placed on cloud security policies and controls, where applicable
  • Expanded MFA requirements for ALL user access into cardholder data environments
  • Security and training updates to incorporate protection against phishing attempts
  • Improved password requirement policy that brings it in line with NIST guidelines


The Customized Approach: Security with Flexibility

As the PCI SSC analyzed more than 6,000 contributor inputs, it became apparent that flexibility would need to be designed into the latest release. Security and privacy professionals are accustomed to myriad options for addressing tactical security objectives. At the least, each major cloud service provider offers different architectural approaches to integrating security controls into their core platforms. In response, the PCI SSC introduced the concept of a “Customized Approach,” which allows an organization to better align security controls to their enterprise architecture, rather than forcing a more limited set of controls outlined in a more prescriptive PCI DSS v3.2.1 requirement.

The Customized Approach allows CISOs to adopt and embed cloud-native security techniques and technologies into their card data processing ecosystem, provided they can explain how the design satisfies the regulation’s data protection requirements. The Customized Approach must be bolstered by rigorous risk analysis to validate effectiveness of the organization’s controls as designed.

Benefits of choosing the Customized Approach include:

  • Ability to align PCI DSS controls with enterprise goals
  • Option to utilize innovative technologies (cloud virtualizations, adaptive authentication, automated data cataloging)
  • Flexibility in monitoring and ongoing risk analysis


Reflecting Organizational Objectives

PCI DSS v4.0 promotes privacy and security as continuous processes, offering expanded guidance for each control, moving from one or two short statements in v3.2.1, to more complete definitions conveying:

  • The purpose of each control
  • “Good Practice” recommendations for implementation of the control including cloud configuration and management
  • Examples of a properly implemented controls
  • Reporting guidance – Expectations for real-time KPI dashboards, based on monitoring and measurement of cloud security controls
  • Further information – referring to other relevant standards or guidelines that may apply

The inherent flexibility of the Customized Approach allows for organizations to tailor their controls to align to the organization’s strategic goals and enterprise architecture. Security officers can select best-fit-for-purpose security solutions that achieve data protection objectives and meet regulatory obligations. The use of security operations dashboards and continuous security monitoring should highlight any customized controls, validating their effectiveness and alerting personnel when indicators of compromise have been detected.


Innovation and Integration

Under the updated regulation, the Customized Approach allows security leaders to innovate; to design security strategies and tactics to protect cardholder data that are no longer neatly isolated in a single, locked down network zone. Security leaders can now adopt the latest cloud-ready security solutions to achieve and maintain their organizational security objectives, while creating greater synergies with organizational strategic goals. Organizations can also benefit through the integration of the continuous security mindset and practice that the standard that will be enforced. By leaning into the flexibility of PCI DSS v4.0, organizations can ensure that compliance is a holistic effort that benefits itself in real-time.