Remain calm. There is no PCI DSS v4.0 yet. But from the recent community meeting it looks like v4.0 will become “objective” based. The new Software Security Framework (aka the S3 Framework) will be the Council’s first take using an “objective” based approach. (The Software Security Framework will incorporate the Payment Application Data Security Standard (PA-DSS)) The requirement text is expected to be the “objective” of the control and the testing procedures would still be prescriptive. It indicates a more flexible approach to meeting controls is coming.
PCI SSC plans to publish the S3 by the end of 2018, with the validation program to follow in 2019. Looking forward to it!
Ad below this line:
