Although the final text of PCI-DSS 4.0 likely won’t be published until mid-2021, there’s already a plethora of available information that can help businesses get a head start on compliance.
First and foremost, the 12 foundational requirements and controls of PCI-DSS 3.2.1 will still be in place, but they will be refreshed to show a stronger focus on meeting security objectives and added flexibility. PCI-DSS 4.0 also introduces the customized implementation methodology, which provides flexibility for companies to use a broader range of methods or technologies to achieve each individual PCI requirement.
Companies can therefore meet the intent of any security control by implementing a customized implementation as they deem appropriate; this opens the door for organizations to implement more efficient or cost-effective technologies and processes. PCI-DSS 4.0 also uses more of a risk-based approach, which allows for faster deployment of processes to comply with all regulations and standards.
Here’s a look at how organizations can get a head start on complying with some of the big changes expected in Version 4.0
(Note: Since PCI-DSS 4.0 is slated for release in mid–2021, it is likely that compliance with the new standard will take effect in late 2021 or early 2022. This is not set in stone, but previous PCI-DSS releases have provided generous lead times for organizations to comply, and 4.0 likely will as well.)
The current version of PCI-DSS, 3.2.1, requires organizations to adhere to specific and stringent requirements that dictate how they must achieve PCI-DSS goals. Organizations that are unable to follow those requirements must utilize compensating controls; these are burdensome and time-consuming procedures that require an organization to go “above and beyond” the intent of the primary control itself.
The biggest change in PCI-DSS 4.0 is that it will replace compensating controls with a customized implementation approach. Customized implementation considers the intent of the PCI-DSS objective and allows entities to design their own security controls to meet it.
The introduction of customized implementation and elimination of compensating controls means that organizations will have two options for compliance: the existing prescriptive, defined implementation approach, and the new customized implementation approach.
So, if a company is using a compensating control to satisfy a specific requirement under PCI-DSS 3.2.1, this would be a good time to evaluate what the compensating control costs (in terms of time and effort) and identify if other security technologies can help them achieve compliance under the customized implementation approach.
Authentication, Encryption, and Monitoring
As part of the PCI-SSC’s efforts to ensure Version 4.0 is reflective of the current security landscape, expect to see strengthened requirements around authentication, encryption, and monitoring.
- Authentication: Stronger focus on NIST Guidance around MFA/2FA and password changes
- Encryption: Broader requirements for transmitting cardholder data within and across trusted networks
- Monitoring: Capabilities that extend beyond alerting to potential misconfigurations, but provide actionable insight to address them, ensuring companies have the details needed to remediate the situation
Here are some tools that can help your organization comply with these heightened requirements:
Authentication: Integrate and protect your critical applications using tools like multi-factor authentication solutions (for example: Duo and Google Authenticator) and single sign-on products (such as Okta or Ping). The goal of both of these options is to ensure that access to critical systems is properly authorized and to make it easier to understand who has access to your resources, allowing for easy auditing of relevant access requests. Adding MFA and SSO to your infrastructure ensures that only authorized users are granted access to your resources, and that they have access to the resources needed to complete their job task (using the concept of least privilege).
Encryption: To enhance your security posture and reduce the scope of your PCI audit, adding a PCI-validated point-to-point encryption solution (P2PE, which typically comes paired with any reputable credit card processing solution) can greatly increase the level of protection of cardholder data at the time of card swipe/DIP, while it is then transmitted to the acquirer gateway for processing. To secure data at rest, the use of tokenization is recommended.
Tokenization is a technology that changes the CHD into a token, which represents the details for that particular transaction. In order to access the CHD in a given transaction, the token must be passed to the tokenization provider, at which point the relevant details are decrypted. End-to-end encryption (E2EE, a standard feature of many cybersecurity products) can add a layer of encryption between devices or applications, which will further ensure that CHD is protected while in motion. The goal of these different security technologies is to protect cardholder data at rest, as well as in motion. These added security measures ensure that CHD/PII is devalued in the eyes of bad actors, rendering the information useless.
It is important to note that there are three primary requirements that any P2PE or E2EE solution must offer:
- CHD must be encrypted using strong cryptography
- A secure hardware device must perform the encryption
- CHD cannot be decrypted within the merchant environment
Monitoring: Data correlation and visualization tools (such as a SIEM) give organizations a view into what is happening across their critical infrastructure. The goal of implementing and maintaining a monitoring platform is to provide actionable context and insight for the issue and how to resolve it. Alert fatigue is a common issue across monitoring solutions; deploying a platform that can correlate issues and introduce RCA workflows will make it easier for your security teams to understand what is happening across the environment.
Picking the Right Technology Provider for PCI-DSS 4.0 Compliance
With so many different products and services on the market today, it’s important that companies look for tools that actually address a pain point, rather than simply purchasing something to “tick a box” on the PCI-DSS checklist.
First and foremost, if you’re considering a solution that interacts with the storage, transmission, or processing of CHD, that vendor should have its own PCI certification (AOC) to ensure security standards are met.
It’s also wise to keep in mind the limitations of existing security and segmentation tools like firewalls, routers, and ACLs. These legacy technologies are often unable to simplify compliance in organizations with CDE environments that extend beyond their primary data center or campus. The goal of your security technology should be to minimize the scope of your PCI audit and reduce the burden of PCI compliance.
How ColorTokens Helps with PCI-DSS 4.0 Compliance
The ColorTokens Xtended Zero Trust Platform enables organizations to see, protect, and predict security and compliance violations across any workload, any deployment, and any user. It provides support for primary controls in PCI-DSS as they relate to securing CDE systems that fall under the scope of PCI.
Micro-Segmentation: Xshield, ColorTokens’ micro-segmentation solution, gives you the tools and visibility you need to understand your CDE environment and establish segmentation policies around these critical systems in just a few steps, thereby limiting the scope of a potential audit.
Authentication: ColorTokens supports authentication options for end-users to gain access to defined resources on the enterprise network. Users can be created in the ColorTokens management console or synchronized with Active Directory or another IdP, and policies ensure that access is granted based on the concept of least-privilege.
Encryption: ColorTokens supports the ability to enforce on–demand, point-to-point encryption for services that do not natively secure communication, or to encrypt all non-console administrative access to systems in the CDE. This relates to PCI Requirements 2.2.3 and 2.3.
Monitoring: ColorTokens provides an automated and auditable process for policy creation, enforcement, and monitoring across all network locations and platforms. Through this model, organizations can meet PCI-DSS requirements in the data center, cloud environment, and retail/branch outlets. The solution provides full audit and asset management reports, real-time traffic analysis, and can enable organizations to address any violations before an external audit. This relates to PCI Requirements 10.1, 10.2.4, 10.3, and 10.7.
Get on the Fast Track to PCI-DSS 4.0 Compliance
About the Author: Brian Dixon, Certified PCI-QSA & CISSP, is a compliance expert.