Amid the news that the PCI DSS v4.0 and its supporting compliance validation documents are targeted for release in March of 2022, comes the recognition that Sysnet Global Solutions’ Compliance Management Solution and Proactive Data Security will need to be updated to reflect and support these changes.

Influencing the PCI DSS v4.0 through the Request for Comments periods

As of August 2021, through a series of Request for Comments (RFC) periods, the PCI Security Standards Council (SSC) has released draft versions of the PCI Data Security Standard (DSS) v4.0, the associated v4.0 Report on Compliance (ROC) Template, draft Attestations of Compliance (AOC) as well as a proposed replacement for the merchant Self-Assessment Questionnaires (SAQs) known as Merchant Assessment Forms (MAFs). PCI Participating Organizations, PCI Recognized Labs, Assessor Companies, and Approved Scanning Vendors (ASVs) have been privy to these draft documents and encouraged to provide their feedback in order to influence and guide the development of PCI DSS v4.0 and its validation documents. 

Expected timelines

The feedback review process for the most recent RFC is now underway within the PCI SSC. The visibility of a final pre-release version of the PCI DSS is not expected until at least January 2022. The PCI SSC announced that this preview version will be available to participating organizations, Qualified Security Assessors (QSAs), and ASVs as a familiarization period.  However, a preview of the accompanying validation documents (ROC template, AOCs, and MAFs or SAQs) will not be made available. The first view of these documents will be the final version due in March 2022. The PCI SSC also noted that the first phase of translations of the PCI DSS will not be available until the official PCI DSS v4.0 launch date.

As the PCI SSC has re-iterated a number of times, the draft documentation released so far is exactly that: draft versions that could be subject to significant change between now and Q1 2022. The final published versions may be very different. As a QSA Company, ASV, and participant in the PCI Small Merchant Taskforce, the team at Sysnet is fully aware of the process and its planned timelines. We are closely monitoring developments and will be available to assist you and your merchant customers upon the release of PCI DSS v4.0 and during the transition period from PCI DSS v3.2.1.

Transitioning from v3.2.1 to the new PCI DSS v4.0

As with previous releases of new PCI DSS versions and new SAQs previously, there will be a transition period. During the transition period, both PCI DSS v3.2.1 and v4.0 will be active. Merchants and service providers will be able to validate compliance against either version of the Standard. The time allotted for the transition by the PCI SSC is 18 months from the time all v4.0 materials are released. Based on current timelines this means v3.2.1 will not be retired until Q1 2024. This gives an ample amount of time to implement any and all changes needed for our Compliance Management Solution and Proactive Data Security to support the PCI DSS v4.0.

The PCI DSS v4.0 upgrade, as well as other changes necessary to support revised or new compliance validation requirements, will be made during the transition period.  In line with our approach to previous version changes, this will move our entire solution to support PCI DSS v4.0. We will not run v3.2.1 in parallel with v4.0. After the upgrade merchants will only be able to validate against PCI DSS v4.0. Continued provision for v3.2.1 will only be in place to support the record of existing attestations.

This complete switchover approach will mean that any in-flight work will need to be completed by the merchant prior to the solution transitioning. If their compliance journey is not completed, merchants will need to begin their compliance or revalidation process again after the migration date. Post-upgrade when merchants sign into your compliance management portal instance again or engage your Proactive Data Security contact center team, the merchant will be profiling and attesting via PCI DSS v4.0.

Our migration approach

We have looked at the current RFC’s PCI DSS v4.0 validation documents to assess the implications and impact for both our Compliance Management Solution and Proactive Data Security, as well as the extent of re-engineering that may be required. However, as we recognize that the final release versions may look very different from the draft documents released under the RFCs, Sysnet’s plans cannot be solidified at this time. The scope and complexity of changes that will need to be implemented will determine our timeline for getting Sysnet’s solutions upgraded across all clients.

At this time, a roadmap cannot be provided and there is no action to be taken. Only with access to the final documents will we be able to assess the implications of PCI DSS v4.0, its validation documents and the extent of the changes that will be needed for the Compliance Management Solution and Proactive Data Security to fully support them. Once Sysnet has access to the final release versions of the PCI DSS v4.0 and accompanying AOCs and MAFs (or SAQs), our team will devise our upgrade plan and be in contact with you to discuss the best way to proceed for you and your merchant customers. We will also provide updates on the steps we are taking and potential upgrade timelines. If you have any additional questions at this time, please do not hesitate to reach out to your primary Sysnet contact.