Prepare to embrace continuous compliance with PCI DSS 4.0
The release of PCI Security Standards Council’s much-awaited PCI DSS v4.0 is round the corner and the industry is abuzz with talks on anticipated changes, the ensuing implications, and the necessary support for the transition. The update to PCI DSS 3.2.1 – currently the gold standard for payments industry is coming after six years since the last change took effect in 2016. At its heart, the new standard is expected to move compliance from an audit-driven, one-time event, to a continuous improvement process aimed at securing payments.
From an operational standpoint, the 12 core PCI DSS requirements are not expected to change fundamentally and will continue to remain the foundational blocks for payments security, as noted by the PCI Security Standards Council. However, with the new updates, the standard will expand to reflect evolving changes in technology, risk mitigation techniques, and the threat landscape while also looking to enhance validation methods and procedures. There are five broad areas that are likely to see changes, discussed as under:
Customized approach to design security controls
With PCI DSS 4.0, organizations will be able to choose to perform the control as prescribed in the guideline or opt for customized implementation. With customized validation, the focus will shift from “what” must be implemented to defining the security “outcomes” linked to each requirement. This would allow organizations greater flexibility to achieve compliance by showing that the intent of the requirement is met without needing to provide an operational or technical justification – a marked departure from the current standard.
More stringent controls
PCI DSS 4.0 will set the bar higher for security standards. A key area where this would apply is around the use of cloud and serverless computing. 4.0 is expected to introduce an updated set of requirements and approaches to securing cloud and serverless workloads. Additionally, it will likely increase the number of touchpoints and test points, and the amount of data that must be proven to pass, in an attempt to make PCI DSS a continuous process. This might entail larger capital outlays requiring budgetary planning and adjustments.
Deeper focus on MFA and encryption
The NIST password guidance takes a centre stage as the new standard forces MFA for every touchpoint. There is going to be greater focus on applying stronger authentication standards to payment and control process access log-ins and also implementing the use of 3DS Core Security standard during transaction authorization. The new standard will enable organizations to build their own unique pluggable authentication standards to meet data security regulatory requirements. At the same time, they can be scaled to fit the company’s transaction objectives. Secondly, it is likely to expand the scope and application of encryption to cover cardholder data transmission on trusted networks while also requiring organizations to institute a data discovery process.
Enhanced monitoring to reflect technology advancements
There is likely to be enhanced focus on risk-based monitoring and testing. The requirement to monitor the cardholder data environment may be updated to reflect advancements in technology, such as the availability of next-gen network and endpoint detection tools. Merchants and payment service providers may be required to have processes and mechanisms to detect phishing attempts. Besides, the new update will include provisions on treatment of phishing and social engineering attacks.
Greater frequency of testing critical controls
The new standard is expected to bring in a higher level of critical control testing, which implies a significant increase in the amount of testing required. Though Designated Entities Supplemental Validation (DESV) requirements are nothing new and were included in earlier versions too, they were previously mandatory only for companies that had been compromised. In this new version, these requirements may become an essential compliance standard for all businesses.
All in all, the changes to the PCI standard are expected to be an improvement over existing set of requirements. As with previous releases, a transition period post the formal release of PCI-DSS version 4.0, will allow organizations about two years to completely transition and comply to the new 4.0 standard. A critical practice for organizations is to ensure that current security controls in accordance with version 3.2.1, continue to be conscientious and resilient as per existing protocols. This will ensure that the transition to 4.0 is seamless and without bumps. A comprehensive transition plan can be implemented once the new standard is enforced by engaging with a PCI Qualified Security Assessor (QSA). We at SISA can provide expert security recommendations and guidance to ensure this transition is frictionless.