Just a matter of months stand between now, and the final deadline for compliance with PCI DSS version 4.0.
Introduced back in 2022, and compliance with the last version of the Payment Card Industry Data Security Standard (PCI DSS) – v3.2.1 – sunsetted in March 2024, version 4.0 promises a heap of new guidelines and language to make understanding and complying with the standard easier.
The deadline for compliance with this new version is on March 31, 2024. A few other PCI 4.0 requirements that are now being considered best practices will soon become mandatory for card processors by March 31, 2025. Therefore, it is important to know what is different in the new version, as well as why these changes are being made.
New Version and Goals
In its announcement about the publishing of version 4.0, the PCI Security Standards Council (PCI SSC) said the new version was intended to address emerging threats and technologies and enable innovative methods to combat new threats.
There were four main goals with the introduction of version 4.0:
- Continue to meet the security needs of the payment industry;
- Promote security as a continuous process;
- Add flexibility for different methodologies;
- Enhance validation methods and procedures that are used.
The council deemed that these updates were required to meet “the evolving security needs of the payments industry.” In particular, PCI DSS v4.0 will specifically:
· Continue to provide the critical foundation for securing payment data in a rapidly evolving ecosystem.
· Promote security as a continuous process.
· Improve flexibility for organizations using a broad range of methods and technologies to achieve PCI DSS security objectives.
· Enhance validation methods and procedures.
Perspective on Elements of PCI 4.0
The PCI update has a total of 64 new controls, of which 53 apply to all users, and 11 apply specifically to service providers.
Lauren Holloway, Director of Data Security Standards at the PCI Council, says that PCI DSS v4.0 was driven by global industry collaboration and feedback. Over three requests for comment periods, the PCI Council heard from over 200 companies with over 6,000 items of feedback.
“Therefore, the latest version of the standard was a collective effort supported by many in the payments industry and has been well received,” she said. “We also have regular stakeholder meetings with our board of advisors and the Global Executive Assessor Roundtable, in which they have been providing feedback about their experiences with this new version.”
Holloway explains that the PCI DSS has always been intended to be technology agnostic, and it should be possible to comply with the PCI DSS 4.0 requirements no matter which environment you are operating in. She said there has been an intention with version 4.0 to “add objective statements to emphasize the broad applicability to technologies of all types.”
Simon Turner, senior manager of ISSCA Consultancy Services and ISA at BT, previously said that in terms of benefit to the industry, it’s a step in the right direction: “while some security professionals may say it doesn’t go far enough.”
Holloway said that the global payment industry is dynamic and constantly changing, and technologies continue to emerge alongside new threats to payment security.
“Therefore, it is crucial that our data security standards remain relevant so that we can continue to fulfill our mission to protect payments worldwide.”
Impact on Practitioners
Chris Gould, Qualified Security Assessor (QSA) from I.S. Partners, believes that the impact on users is not that great, and most companies he works with see that they only need to have controls in place by next year.
“I feel with version 4.0, compared to 3.2.1, one of the things the council tried to do was account for where there were gaps, and it wasn’t doing what the council was looking for,” he says.
Gould pointed out requirement 12.5.2 as being particularly significant for practitioners, as anyone being assessed now has to look at all of their internal cardholder data environment and identify all of their different data flows, what type of different payment card activities they are doing, and the different payment stages.
“Any QSA will tell you this is what they were looking for in version 3.2.1, but the standard wasn’t clearly stating these things,” he says. “From top to bottom, the entity needs to go through all these different entities and see where they are accepting card data, where they are sending it, and if they have the right segmentation controls in place.”
“The council has made it an official requirement with bulleted tasks that entities have to do, so that is the biggest [requirement that is] effective immediately.”
So, are practitioners finding this an easier version to get to grips with? Gould says he has not encountered any “major issues” and has only had a handful of clients who have asked for every new requirement to be tracked. “A lot of the clients are just focusing on the ‘effective immediately’ requirements of what you simply have to do, such as 12.5.2,” he says.
“The only other major changes are going to be the rules and responsibilities documentation for each of the requirements two through to 11. Most clients are just tackling the easy stuff; it’s easy to document responsibilities like this.”
Gould says most of the other controls really depend on the entity, what they do, and what is in scope, as it is hard to “one size fits all” with PCI DSS.
What Comes Next?
The need for revisions in something like the PCI DSS is constant, as forward steps in technology mean that frameworks such as the PCI DSS need to keep pace with industry and society trends.
Asked if the council anticipates further revisions to the standard in the coming years, Holloway confirmed this, saying in response to additional feedback from stakeholders “a limited revision of the standard” will be published in 2024, with PCI DSS v4.0.1 including corrections to formatting and typographical errors, and further clarifying the focus and intent of some of the requirements and guidance.
“All of this is based on feedback, both from the RFC and from our other stakeholder interactions,” Holloway said. “There will not be any new or additional requirements in this revision.”
Does this mean versions are always under review? Holloway said the council collaborates with a global community of participating organizations and other partners involved in payment security to keep its standards current and relevant to changing technologies and emerging threats.
“Our standards continue to evolve and grow alongside trends in the payments industry.”
Concluding Thoughts on the PCI DSS v4.0
The PCI DSS remains one of the key compliance frameworks for anyone with an eye on governance and risk. What we see with the new version is an attempt to keep pace with the change in technology.
From my perspective, the new version is a very positive thing. It attempts to address any gaps that were apparently present in the last version and addresses key areas such as the use of cloud technology and stronger levels of authentication.
While these changes are welcome, they may also bring some concern on how to achieve and maintain compliance.
Ensuring you have the best advice on how to ensure your level of compliance and protect yourself and your customers is absolutely crucial, so be sure to seek the best advice when seeking that guidance.
Align Your Security Systems with New PCI 4.0 Requirements via I.S. Partners
I.S. Partners has stayed updated throughout the development of the new PCI DSS version. Streamline your transition and comply with the PCI DSS v4 requirements by employing the aid of our expert auditors and experience our comprehensive assessments.
Contact us today and schedule a consultation with our PCI expert.