PCI Data Security Standards (PCI DSS) is a set of standards developed and maintained by the PCI SSC and were designed for the security of the cardholder data environments that process, store, or transmit account data. This also includes systems that could affect the security of the cardholder data environment. These standards are referred to as requirements and apply to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS compliance validation is required every 12 months.
PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents.
To support this transition, PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.
This transition period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
Any organization can become a Participating Organization. In addition to providing feedback on draft PCI Security Standards, the benefits of becoming a Participating Organization include the ability to propose, vote for and participate in Special Interest Groups, attend annual PCI SSC Community meetings with two complimentary passes, and demonstrate to your customers and business partners your commitment to payment security. Read more about the full benefits and how to become a PO here. (https://www.pcisecuritystandards.org/get_involved/participating_organizations)
While PCI DSS v4.0 is under development, we encourage all entities to remain diligent and maintain their PCI DSS v3.2.1 security controls. Not only will this help ensure continued security, but this will facilitate the transition to PCI DSS v4.0.
Organizations that have had access to early drafts are strongly urged to wait until the final version of PCI DSS v4.0 is released before trying to implement any new or updated requirements. The RFC versions are draft only, and the standard will be different in the final released version.
Compliance with the PCI Data Security Standard and other applicable PCI Standards may be necessary for entities that store, process or transmit cardholder data. PCI Standards are for entities accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
Compliance and enforcement of PCI Standards is the role of the payment brands and acquiring banks, not the PCI SSC. Each of PCI SSC’s participating payment brand members currently has their own PCI compliance programs for the protection of their affiliated payment card account data. Entities should contact the payment brands directly for information about their compliance programs.
Masking is not synonymous with truncation and these terms cannot be used interchangeably. Masking refers to the concealment of certain digits during display or printing, even when the entire PAN is stored on a system. This is different from truncation, in which the truncated digits are removed and cannot be retrieved within the system. Masked PAN could be “unmasked”, but there is no "un-truncation" without recreating the PAN from another source.