PCI DSS 4.0: A Paradigm Shift to Continuous Compliance, Customization, and More
The newly released PCI DSS 4.0, with substantial changes after six years, launched on 31st March 2022. The new standards aimed at enhancing the security of systems involved in processing, storage and transmission of cardholder data were developed after three Request for Comments (RFCs) and 6,000+ feedback from more than 200 companies. While the 12 core PCI DSS requirements remain fundamentally the same, several new requirements and alterations address the evolving risks and threats to the payment data and reinforce security as a continuous process.
This article is the first in a series of opinion pieces that we will be publishing on the changes to the PCI DSS 4.0. The narrative below focuses on key changes made to the PCI standards driven by the evolving risk landscape and a range of new payment environments, technologies, and methodologies. It also discusses the significant measures that payment organizations can undertake to implement the necessary controls, maintain a secure environment, and stay compliant with the new standards.
A Quick Look at the Key Changes
As the payment industry transforms at a rapid pace, PCI DSS 4.0 intends to bring innovation and improved flexibility through key updates to the original requirements (Read our earlier blog for a closer look at the new requirements). Some of the notable revisions in the updated standards are listed below:
- Emphasizing the need to protect organizations’ critical data and assets from an increasing number of phishing attacks, the new PCI standards include two requirements:
- Requirement no. 5.4.1 – Processes and automation mechanisms to detect and protect personnel against phishing attacks.
- Requirement no. 18.104.22.168 – Security awareness training for phishing and social engineering related attacks.
- With remote working environments becoming the new norm, multi-factor authentication (MFA) has been mandated for remote access from outside the entity’s network as well.
- Two new e-commerce requirements have been added to the new standards to address the emerging e-commerce skimming attacks.
- The required length of passwords has been changed from a minimum of seven characters to a minimum of twelve characters to better equip the current computing capabilities.
Customized Approach to Drive Flexibility
The customized approach is a new validation option in addition to the defined approach of meeting the PCI DSS requirements. Unlike the defined approach that follows the traditional PCI DSS requirements and testing procedures to confirm that the requirements are in place, a customized approach will provide flexibility to organizations to achieve the security objective of a requirement in a different way.
To put it in simpler words, with the customized approach, entities can determine the controls and then implement them to meet the stated customized approach objective with a clear demonstration that the payment data is being protected. This flexible approach intends to encourage innovations in security technology and methods that could be applied to different environments to meet the given requirements.
“PCI DSS assessment can include both defined and customized approaches but it must be designed in consensus with the Qualified Security Assessor (QSA).”
– Nitin Bhatnagar – Associate Director, PCI Standards Council
Before considering the customized approach as an option, organizations must ensure that they have robust security processes and risk management practices in place. The defined approach is suitable for organizations with controls in place to meet the requirements as stated, or organizations that are new to information security and need direction to meet security objectives. Customized approach requires organizations to have a dedicated risk management department or an organization-wide risk management plan. However, as several requirements do not have a stated customized approach objective, entities can use both approaches within their environments by using defined approach to meet some requirements and customized approach to meet others.
It is important to note that customized approach is not a substitute for compensatory controls. While the compensatory controls remain as they are, any organization opting for customized approach cannot use compensatory controls.
Supporting New and Evolving Technologies
Being the standard that claims to be technology neutral, PCI DSS 4.0 also includes requirements which are based on the fundamental security principles that apply to all types of environments and technologies. The latest version comprises refocused requirements with additional objective statements to better emphasize their broad applicability to all types of technology including cloud environments and a range of evolving payment environments and methodologies. In addition to this, customized approach also provides flexibility to entities when they are using different processes or technology to achieve the requirement objective. The scope of requirements in the updated version, for instance, includes a dedicated section to support cloud components. Appendix A1 of the standards has also been revised for more inclusivity of modern technologies by replacing share hosting providers with multi-tenant service providers such as cloud providers. Further, a new requirement also mandates multi-tenant service providers to support their customers for penetration testing.
“As many of the frequencies in the new standards are risk-driven, focused risk assessment for PCI scope, where critical assets like card data, sensitive authentication data or card numbers are collected, is going to play a crucial role.”
– Kaushik Pandey – Global Head – Compliance and Testing Services, SISA
Developments in Authentication Controls
Considering the changing threat landscape and the feedback received from the industry, quite a few changes have been made to authentication requirements in PCI DSS 4.0. For instance, a new requirement that states MFA must be implemented for all access to CDE including remote access originating from outside the entity’s CDE has been added to the standards. While there has been a substantial change in the required length of passwords, the requirement to change them every 90 days to prevent breaches has been retained considering it is the only protection used by some entities. However, it need not apply to the systems in the organization that are protected with MFA and the specified requirement can be marked as NA for those systems. In addition to this, the use of group shared generic accounts, which was prohibited in the earlier version, has been permitted under exceptional circumstances such as limited timeframe or approval/confirmation of user identity and actions attributable to the individuals.
Way Forward – Plan-Do-Check-Act Approach for Implementation
In the initial phases of the implementation timeline, the organizations must first understand the new standards before taking any action to execute the process. The PCI SSC is also going to organize multiple sessions and events including transitional trainings starting from June 2022 to help organizations understand the interpretation of new standards before they start implementing them. In addition to this, SISA is also launching its CPISI – PCI DSS Implementation Workshop 4.0 on 27th-28th April 2022, to help information security stakeholders take proactive steps for PCI implementation.
Although the implementation process for PCI DSS 4.0 is going to be a two-year project, organizations cannot wait until 31st March 2024 to get started; they must start from today. A systematic approach such as the Plan-Do-Check-Act (PDCA) can be leveraged to smoothly transition to new standards:
- Plan – To understand all the significant changes made to the PCI standards and their effect on the businesses, it is essential for organizations to read the new standards and then plan their course of action for the period ahead.
- Do – The next step involves setting up a task force that could start implementing the changes to the business operations and policies of the organization to stay prepared for the assessment.
- Check – At this stage, it would be beneficial for organizations to carry out a gap analysis with the help of their Qualified Security Assessor (QSA) to recognize the further changes that need to be made to meet the new requirements.
- Act – After understanding the new standards and making the changes in their processes, organizations can finally implement the necessary controls to continue meeting the PCI DSS 4.0 requirements at the time of assessment in 2024.
For a more detailed discussion on the changes made to the payment standards, watch our Fireside Chat on PCI DSS 4.0: A Paradigm Shift to Continuous Compliance, Customization, and More with Nitin Bhatnagar – Associate Director, PCI Standards Council.