Four Changes PCI DSS Version 4.0 Will Introduce for US Hospitality

The Payment Card Industry Data Security Standards (PCI DSS) is the ruling framework provided by card issuers themselves to secure cardholder data. Currently, businesses across the world comply with version 3.2.1 of PCI DSS to ensure the protection of financial and personal data. 

In their 2019 Payment Security report, Verizon identified that:

Fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place. 

In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9% of organizations achieved 100% compliance during their interim compliance validation.1 This is a further 8.8 percentage-point (pp) drop from the year before when only 36.7% of organizations demonstrated full compliance.”  

In the wake of the pandemic, the PCI Council has had to rethink the framework by conducting discussions and RFC (requests for comment) with industry stakeholders. The RFCs accumulated over 3000 comments & suggestions from industry stakeholders.  

Reasons for the PCI DSS V4.0 Update

In their official blog, the PCI Council established four reasons behind the development of PCI DSS V4.0, there are as follows:

  • Ensure the standard continues to meet the security needs of the payments industry

The PCI rules must continue to meet the security needs of the payment industry with the development of new technology and evolving threats. 

The PCI Council will seek to work on organizations’ scope of PCI Compliance, cloud technology, evolved cybercrime, risk assessments, and authentication measures to ensure being relevant with changing times. 

  • Add flexibility and support of additional methodologies to achieve security

Including new solutions, services, and tools to achieve premium security will be a high priority for the PCI Council in V4.0. The sophistication of card and data theft has already alerted both the PCI Council and law enforcement, pacing the way for new ideas to make way into the PCI framework.  

  • Promote security as a continuous process

Something the PCI DSS has been unable to do for the last three years as Verizon mention in their report. The PCI Council must promote its program as a continuous process and not a one-time assessment. 

Hospitality is the second most breached industry behind finance for its rich storage of unsecured financial data. The process to secure card data must therefore be continually maintained by businesses while supported by the PCI Council at all times. 

The PCI council will enhance guidance and provide added details on why and how to make the transition to a security-based organizational culture. 

  • Enhance validation methods and procedures.

One of the major reasons to update the PCI DSS is the need to enhance validation and procedures surrounding card processing. Improving best practices and standards of operation should be expected in the new rules. 

Version 4.0 may include more comprehensive rules about authorizations policies, data management policies, data storage compliance, and stricter security controls. PCI V4.0 will seek to introduce customizable validation testing measures to ensure security control is reliable and consistent with what is needed. 

Four Changes PCI DSS Version 4.0 Will Bring to Hospitality Businesses

After the RFC process that began back in 2017 ended, industry stakeholders identified four major changes that they feel were needed in the framework. These include major updates for authentication rules, encryption rules, technology advancement, and testing of critical controls. 

  • Authentication

Stakeholders have requested the PCI Council review authentication rules and update them with more rigorous measures. Special consideration was requested to adopt NIST (National Institute for Standards & Technology) protocols for password security. 

The requests also include the deployment of MFA or Multi-Factor Authentication for the processing of payments and security of card data.  

  • Broader applicability for encrypting cardholder data on trusted networks

Industry stakeholders have requested broader use of data encryption to assure premium security for all cardholder data. The encryption of card data even on trusted networks therefore allows the hotel to itigate against liability and further strengthen the security of cardholder information. 

  • Monitoring requirements to consider technology advancement 

Vast advancement in payment technology and other organizational tech requires stricter monitoring and on-hands management. New technology requires immediate vetting and compliance therefore stricter monitoring & control rules are expected. 

Organizations will also seek faster PCI assessments and audits to cope with evolving technologies. The PCI Council is bound to include detailed assessment tools and guidance, with easier compliance requirements.  

  • Greater frequency of testing of critical controls

The PCI Council will critically look over their testing measures for critical security controls to ensure the reliability of PCI DSS. This update will possibly include stricter measures and practices for security control testing already found in PCI DSS annexures. 


As the process develops hospitality providers can expect better guidance and more comprehensive rules from the PCI Council in Version 4.0. The development of new technology and a more digitized world today requires timely changes to the PCI DSS.

As the update to PCI V4.0 continues we will continue to monitor changes and keep you updated. Until next time, see you again soon.