Listen to: "PCI DSS 4.0 Is Coming in 2020: What to Expect"
For companies that transmit and use payment card information from consumers, the Payment Card Industry Data Security Standard (PCI DSS) provides encompassing information security standards for any organization that handles or transmits consumer credit card data.
The request for comments (RFC) period for PCI DSS 4.0 is quickly coming to a close this November 2019, and the council hopes to release the updated version 4.0 by the end of 2020. This article outlines what we know about the upcoming update.
What is Changing with PCI DSS 4.0?
There will be 4 specific areas that may be changed with the credit card data security standards. These areas are focused on authentication, encryption, monitoring and critical control testing frequency methods. There has been growing support for new payment initiatives to be introduced or changed for this PCI DSS 4.0 version by the Payment Card Industry Security Standards Council (PCI SSC). Here is what may occur with each specific area:
Authentication: Deeper Focus on NIST MFA/Password Guidance
The PCI SSC has been working with the Europay, Mastercard and Visa consortium (EMVco) regarding more authentication standards applied to both control process access log-ins as well as for payment processes. One element that the new PCI DSS 4.0 iteration may focus on in greater detail is the use of a 3DS Core Security Standard during transaction authorization. The 3DS standard allows organizations to build pluggable authentication options to enable secure customer authentication, as controls will be able to meet the regulatory requirements in data security while being scalable to the company’s changing transaction objectives.
Encryption: Broader Applicability on Trusted Networks
With cyber threats becoming more prevalent in the industry, the need to keep cardholder data secure on trusted networks has become more paramount. One of the biggest threats that will need to be looked into involves the use of malicious code that may take up residence in the network. As cardholder data is transmitted, this threat can harvest the information. So this issue is one area that the PCI DSS 4.0 version will provide guidance and best practices for to fully secure network transmissions.
Monitoring: Technology Advancement Requirements
There may be more risk-based approaches in the new PCI DSS 4.0. Technology is growing rapidly, as companies are looking at pluggable options in their information systems much like the PCI Software Security Framework. The adoption of such solutions allow for a faster deployment of processes without having the technology located in a specific control area as it will still abide with all regulations and standards.
Critical Control Testing Frequency: Possible Inclusion of DESV Requirements
Many of the Designated Entities Supplemental Validation (DESV) requirements have been included in previous PCI DSS requirements. So the critical control testing frequency and the addition of controls may also make their way into this PCI DSS version. The DESV requirements were usually reserved for companies that have experienced a breach. However, the requirements may become standard for all industries, as it will be a wait-and-see process on how the requirements will be received.
What’s Happening Now with PCI DSS 4.0?
As of this writing, the PCI SSC is still requesting industry comments in regards to the new PCI DSS 4.0 iteration. This request for comment (RFC) phase will end on November 30, 2019. After the comments, the PCI SSC hopes to release the new DSS version at the end of 2020. Many of the specific areas may experience more drastic changes than what has been mentioned, while others may have very few controls added. So it is best to frequently check in on this blog space for additional information that may be passed along when the PCI SSC makes further announcements.
Obtain PCI DSS Assessment Testing
Handling and transmitting cardholder data, as well as performing transactions, needs to be performed in a secure information security environment with the correct controls in place to minimize risks. To learn whether your systems are PCI DSS compliant, you can obtain testing from I.S. Partners.
We make the process easier by offering a range of assessments and advisory services tailored to your business framework. With a PCI DSS Assessment, you can minimize risks, identify security weaknesses, and further protect cardholder data from breaches. Receive a quote from our company by filling out the contact form. You can also learn more about our services and the PCI DSS security standards by contacting us at 215-675-1400.