PCI-DSS 4.0, the latest version of the Payment Card Industry Data Security Standard, is expected to be released in Q1-2022. Like all versions of PCI-DSS, 4.0 will be a comprehensive set of guidelines aimed at securing systems involved in the processing, storage, and transmission of credit card data.
PCI-DSS applies to any organization that processes, stores, or transmits cardholder data (or that provides services that control or could impact the security of cardholder data or the card holder data environment). To comply, organizations need to fulfill a variety of requirements; these include ongoing monitoring/testing, implementing strong access control measures, protecting cardholder data, and more.
Although the full text of PCI-DSS 4.0 has yet to be released, we do already know a fair bit about it. The PCI Security Standards Council (the organization responsible for PCI-DSS) has set four objectives to guide the creation of Version 4.0:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
But what policies will PCI-DSS 4.0 include to meet those objectives, and how will they impact your business? Here’s an overview of what we know today, as well as the evolution of the standard since its inception nearly 20 years ago.
History of PCI-DSS
In the early 2000s, with e-commerce becoming a larger part of the global economy, credit card companies started to re-think their approach to securing the cardholder environment. There were new threats related to the growth of web-based transactions, but there weren’t a unified set of standards to ensure consistent and secure processing, storage, and transmission of credit card data
So, in 2004, a group of credit card companies — American Express, Discover, JCB International, MasterCard, and Visa – came together to release the first version of PCI-DSS.
In the 15-plus years since Version 1.0 was released, the founding companies have formalized their role in governing credit card transactions by establishing the PCI Security Standards Council (PCI-SSC). There have also been numerous updates to the original PCI-DSS Version 1.0 to account for technological advances and evolving cyber threats. In total, PCI-DSS 4.0 will be the 10th version of the standard to be released.
What We Know About PCI-DSS 4.0
When PCI-DSS 4.0 is officially released in Q1 2022, it’s expected to differ from PCI-DSS 3.2.1 (the current version) in a few ways. The biggest change is in how businesses will be able to achieve compliance.
PCI-DSS 3.2.1 (and earlier versions of the standard) includes not only a series of objectives (i.e. protect cardholder data), but specific and stringent requirements that dictate how companies must achieve those goals. In other words, the standard is extremely prescriptive. Businesses that are unable to follow these prescriptive steps to compliance must implement a compensating control — a burdensome and time-consuming procedure that requires an organization to go “above and beyond” the intent of the primary control itself.
PCI-DSS 4.0 does keep the existing prescriptive method for compliance, but it replaces compensating controls with an alternate option: customized implementation.
Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it. Once an organization determines the security control for a given objective, it must provide full documentation to enable their Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control.
Another area of expected change will be around the use of cloud and serverless computing. The core controls of the current Version 3.2.1 were not designed for the IT environments of 2020, so Version 4.0 will introduce an updated set of requirements and approaches to securing cloud and serverless workloads.
Enterprises can also expect new control requirements, such as an expansion of the encryption of card holder data over any transmission, including within trusted networks. There is also likely to be a control requirement update around passwords/login access (i.e. an increase in use of multi-factor authentication).
How to Comply with PCI-DSS 4.0
The 12 foundational requirements and list of controls of PCI-DSS 3.2.1 will still be a part of PCI-DSS 4.0. But the addition of the customized implementation option introduces new flexibility for companies to use a broader range of methods and technologies to achieve each PCI objective. And, ultimately, organizations might find a cheaper or simpler way to comply.
So, organizations that currently use a compensating control(s) would be well served to evaluate what the compensating control(s) costs – in both time and effort – and identify if other security technologies can help them achieve compliance under the customized implementation method.
Although we don’t know the exact date or month when PCI-DSS 4.0 will be released, the best guess is sometime in the early to mid 2022. Based on this estimate – and since most of the foundational requirements will stay in the same in 4.0 – it is likely that organizations will be required to comply with the new standard sometime through late 2022. This isn’t official yet, but prior PCI-DSS releases have provided generous lead time to help organizations comply with the standard, and we expect the same to be the case with 4.0.
The introduction of the customized implementation approach in PCI-DSS 4.0 gives businesses more flexibility. As long as they implement solutions that achieve the intended outcome of a specific PCI objective, organizations no longer are forced to follow the methods prescribed by the PCI-SSC (or implement a burdensome compensating control).
This opens the door for organizations to evaluate new tools and technologies that can support multiple security requirements across the business — and may very well cost less and work faster.
However, it’s critical that companies look for tools that actually solve a technology pain point, rather than simply purchasing something to “tick a box” on the PCI-DSS checklist. It’s vital that the solution is compliant and achieves the requirements stated in PCI-DSS. And if the tool is one that interacts with storing, transmitting, or processing cardholder data, check to make sure the vendor has the appropriate PCI certification, Attestation of Compliance (AOC).
Although different organizations will have different needs, businesses often find security tracking tools (such as software that monitors and collects audit trails for all PCI related events) and SIEM solutions (that collect logs and aggregate data into a central repository) helpful in complying with PCI-DSS.
A best-in-class micro-segmentation solution can be a powerful tool in helping organizations with PCI-DSS. Micro-segmentation offers a powerful and flexible way for businesses to reduce PCI scope. It provides complete visibility and protection for all north-south and east-west communications. And it creates secure zones and policies around your CDE and critical PCI systems, which limits the attack surface and ability for lateral movement to occur – reducing the impact of a breach scenario.
Finally, the PCI Council’s SAQ (self-assessment questionnaire) is a useful tool that can help your organization stay on track for compliance.