Rapid changes in how payments are made, seemingly constant technology upgrades, and the relentless pursuit of providing secure transactions are all driving the PCI DSS v4.0. Originally scheduled for release in Q2 of 2021, the PCI Security Standards Council (SSC) has recently revised the PCI DSS v4.0 publication date to Q1 2022. After three rounds of Request for Comments (RFC) and reviewing thousands of comments, we can expect a massive impact on the standard.
Given the significance of this revision, a preview of the draft standard will be provided to Participating Organizations, QSAs, and ASVs sometime in January 2022. While those involved in the review are not allowed to disclose the details, we do know that security is at the forefront.
The primary drivers are:
- Meeting the payment industry’s security needs
- Providing flexibility and scalability to support evolving methodologies
- Making security a continuous process
- Enhancing security control validation methods
While we don’t have specifics on the changes, we have been reassured that the 12 core PCI DSS requirements will fundamentally remain the same. Under similar standards, the requirements statements will be more “outcome-based”, the control objectives will be clear, and the guidance column will be enhanced.
What do the primary drivers mean?
- Meeting the payment industry’s security needs – With new technologies like cloud computing and an increase in outsourcing of services, PCI will release additional guidance with cloud and third-party considerations, which will require companies to rethink and validate their own scope and approach.
- Ever-changing cyber risks will require additional protection of cardholder data (while at rest and in motion), additional anti-phishing and social engineering, more robust risk assessments, and stricter recommendations for authentication like multi-factor, yet adaptable to the various authentication options. Finally, the Council has mentioned that when applicable, cloud technology will be considered in the new standard. Appendix A1 where guidance for the providers of shared hosting technology will also be considered.
- Providing flexibility and scalability to support evolving methodologies – Historically, secure companies had difficulty meeting defined or fixed requirements and often had to find compensating controls. These instances will be reduced by providing a customized approach. This includes tailored requirements and testing procedures. As an example, companies may secure networks differently, under a plethora of solutions, settings, and controls. The customized approach will enable companies to demonstrate how the risks and objectives are met, regardless of the solutions, settings, or controls in place.
- Making security a continuous process – The goal of the PCI DSS requirements has always been to design a secure and sustainable environment, following best practices. While some companies adopted this mindset, others are just focused on passing. We expect the new guidance to reinforce security as part of the business-as-usual, by requiring larger sample sizes, larger periods of coverage, or increased frequency of testing.
- Enhancing security control validation methods – Based on the customized approach within the methodology, PCI will align the validation methods. It seems straightforward, but the switch from assessing compensating controls (in the absence of standard requirements) to customized controls may require targeted risk assessments and testing procedures, developed by the QSA, and agreed upon by the business.
It’s unclear how, but we can expect consistency in the SAQ and the AOC, in alignment with the methodology updates. Customization may be more suited for companies with secure and mature environments.
Revised PCI DSS v4.0 Development and Transition Timeline
When PCI DSS v4.0 is first released, v3.2.1 will remain active for an 18-month grace period, to allow for companies to gradually become compliant with baseline or immediate requirements. Additional requirements will be introduced under a phased approach, with dates in the future.
“Future-dated” requirements are deemed to be “best practices” until the final date is reached. What this means to companies is that best practices should be assessed, but not fully implemented until the final date. While don’t know the exact date of transition from “best practices” to required implementation for each of the new requirements, the timeline is expected to be between 2½ – 3 years after the transition period has expired.
While organizations have plenty of time to implement the various phases of PCI DSS v4.0, a roadmap should be in place sooner rather than later. Embrace the change and stay tuned for updates on evolving requirements and process improvements.