Although the full, final version of PCI-DSS 4.0 has not been released, we do already know a fair bit about what to expect when it is.
First and foremost, the estimated release date for PCI-DSS 4.0 will be mid-2021. Additionally, the PCI-SSC (the organization responsible for PCI-DSS) has set four objectives to guide the creation of Version 4.0:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
Organizations can expect a handful of changes from the current PCI-DSS 3.2.1 that stem from those objectives. Here’s a look at some of the most significant.
Introducing Customized Implementation
Under the current PCI-DSS 3.2.1 (and earlier versions of the standard) organizations are subject to specific and stringent requirements that dictate how they must achieve PCI-DSS goals. (These goals include objectives like: “Build and Maintain a Secure Network,” “Protect Cardholder Data,” and more.)
In other words, PCI-DSS 3.2.1 and previous versions have been prescriptive – merchants needed to utilize certain specific criteria to achieve compliance.
PCI-DSS 4.0 does keep the existing prescriptive method for compliance, but it also introduces a second option: customized implementation.
The customized implementation approach will provide organizations increased flexibility because it allows them to design their own security controls — as long as those security controls meet the intent of the PCI-DSS requirement. In other words, if organizations achieve the intended outcome of a given PCI-DSS goal, they have the freedom to implement a solution of their choice. This adds flexibility to allow organizations to deploy solutions that can address security controls across several PCI-DSS requirements.
Organizations that go the customized implementation route will be fully responsible to provide the documentation to enable their Qualified Security Assessor (QSA) to make a decision on the effectiveness of a control. This will require the customized implementation approach to be matched with a strong risk assessment process which will inform the design and validation of customized controls.
Replacing Compensating Controls
Currently, organizations that are unable to meet the prescriptive methods of achieving PCI-DSS goals are required to utilize compensating controls. Implementing a compensating control is a burdensome and time-consuming process that requires an organization to go “above and beyond” the intent of the primary control itself. As you might imagine, compensating controls are complicated, and they create additional work for the organization to prove the validity and risk exposure to their environment.
PCI-DSS 4.0 will replace compensating controls with the customized implementation option. So, to comply with PCI-DSS 4.0, enterprises will need to utilize either a) the existing prescriptive implementation or b) the new customized implementation. Compensating controls will no longer be an option.
Other Changes in PCI-DSS 4.0
The core controls of the current PCI-DSS 3.2.1 of mostly date back to 2013, so they weren’t designed for the IT environments of 2020. As part of the PCI-SSC’s efforts to ensure Version 4.0 is reflective of the current security landscape, it will include new requirements and approaches to securing cloud and serverless computing and workloads.
Another expected change is an expansion of the encryption of cardholder data over any transmission, including within trusted networks. Plus, there will likely be a control requirement update to align password controls in Requirement 8 (which deals with identifying and authenticating user access) more closely with the NIST 800-63b standard. We may also see an increase in the use of multifactor authentication, particularly for high-privilege accounts.
Getting a Head Start on PCI-DSS 4.0
There are several technologies and services that can help organizations comply with PCI-DSS 4.0, especially given the introduction of more flexible customized implementation option.
Micro-segmentation is one tool that can help because it offers a powerful and flexible way for businesses to reduce PCI scope. It also provides complete visibility and protection for all north-south and east-west communications, and it creates secure zones and policies around your CDE and critical PCI systems. This limits the attack surface and ability for lateral movement to occur – reducing the impact of a breach scenario.
Learn more about how ColorTokens’ best-in-class micro-segmentation solution can help your business with PCI-DSS 4.0 compliance.
About the Author: Brian Dixon, Certified PCI-QSA & CISSP, is a ColorTokens solutions architect and compliance expert