For companies that transmit and use payment card information from consumers, the Payment Card Industry Data Security Standard (PCI DSS) provides the most comprehensive information security standards.
This is because the PCI Security Standards Council is continually looking at the way the industry operates and looking for ways to improve it. Specifically, it is concerned with enhancing the way businesses handle such things as the development, storage, dissemination, and security for data. As such, it occasionally issues new updates for businesses to improve their practice in these areas and make sure they are being compliant.
PCI DSS 4.0 Release Date: Mid-2021
The request for comments (RFC) period for PCI DSS 4.0 closed in November 2019 and the council plans to release version 4.0 by the middle of 2021. Because many of the PCI security controls are 10 years old and major changes haven’t been made since 2015, industry insiders believe that PCI DSS 4.0 will be significant. We wanted to outline the changes that we can expect when this updated version comes out later this year.
What Will Change When PCI DSS version 4.0 Is Released?
There has been growing support for new payment initiatives to be introduced or changed for this PCI DSS 4.0 version by the Payment Card Industry Security Standards Council (PCI SSC).
We anticipate there to be six specific areas that may be changed with the credit card data security standards. These areas are focused on security, customized implementation, authentication, encryption, monitoring, and critical control testing frequency methods.
6 Key Changes to Anticipate with PCI DSS 4.0
Here’s a closer look at the main PCI DSS 4.0 changes to plan for:
1. Flexibility: Customized Implementation to Meet the Intent of Security Controls
This is probably the biggest change that will be ushered in with the release of PCI DSS 4.0 next year. The 12 requirements will be shifted to focus on the main security objectives:
- Ensure the standard continues to meet the security needs of the payments industry,
- Add flexibility and support of additional methodologies to achieve security,
- Promote security as a continuous process,
- Enhance validation methods and procedures.
The new, customized validation approach will sharply define the security outcomes linked to each requirement. With PCI DSS 4.0, organizations will then be able to choose to perform the control as prescribed or opt for customized implementation. With customized implementation, companies can comply by showing that the intent of the requirement is met without needing to provide an operational or technical justification.
Similar to compensating controls, this change will allow businesses more flexibility in modifying implementation procedures and meeting requirement intent. To verify effectiveness, external assessors must review the documentation and thoroughly test each control with custom implementation.
2. Security: More Stringent Requirements
The ultimate goal of PCI DSS continues to be ensuring that all sellers safely and securely store, process, and transmit cardholder data. It is fair to assume that PCI DSS 4.0 will set the bar higher and build on the assurance of PCI-DSS v3.2.1. In addition to restructuring many of the requirements, the Summary of Changes will likely include stronger security standards. Top management, including CISOs and CTOs, should prepare to adjust budgets in order to allocate capital and operational funds to implement the new requirements.
3. Authentication: Deeper Focus on NIST MFA/Password Guidance
NIST/Password Guidance moves to the forefront in this new version. The PCI SSC places more focus on applying stronger authentication standards to payment and control process access log-ins. It has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization.
This new standard opens the door for organizations to build their own unique pluggable authentication standards to meet data security regulatory requirements. At the same time, they can be scaled to fit the company’s transaction objectives.
4. Encryption: Broader Applicability on Trusted Networks
The push for more secure standards related to cardholder data security has increased. Cyberthreats that include malicious code is one of the biggest problems that financial institutions face. Once the code is embedded in the network, information can be retrieved through cardholder data being transmitted. The new version of PCI DSS 4.0 specifically addresses this issue, with best practices and insight on how to fully protect network transmissions.
5. Monitoring: Technology Advancement Requirements
There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology is growing rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. The adoption of these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.
6. Critical Control Testing Frequency: Possible Inclusion of DESV Requirements
This is a higher level of critical control testing, which includes a significant increase in the amount of testing required. Though Designated Entities Supplemental Validation (DESV) requirements are nothing new, they were previously mandatory only for companies that had been compromised. In this new version, these requirements may be a mandated requirement for all companies to achieve compliance.
PCI DSS 4.0 Timeline
The request for comment (RFC) phase ended on November 30, 2019. Now, the PCI SSC is developing the new DSS version, but has pushed their expected release date to mid-2021.
In preparation of PCI DSS 4.0, we recommend that organizations plan for budgetary changes to adapt to the new requirements and additional risk-based security testing. Implementing more significant changes are likely to demand staffing and training efforts as well.
Related article: How to Keep Employees and Your Organization PCI Compliant.
Other Recent Updates from the PCI SSC
Since 2015, SSL/early TLS encryption protocols were deemed as no longer secure, according to Jones Day. At that time, the Payment Card Industry Data Security Standard (PCI DSS) offered important guidance about the vulnerabilities within the Secure Sockets Layer (SSL) protocol, as well as problems with early versions of the Transport Layer Security (TLS) protocol.
The PCI Security Standards Council (SSC) originally ordered the removal of SSL and early TLS versions from cardholder data environments by June 2018. This required companies to disable SSL/early TLS encryption tools to adopt and implement a more secure encryption protocol. At that point, the PCI SSC strongly suggested implementation of TLS v1.2 for peak protection.
Obtain PCI DSS Assessment Testing
Handling and transmitting cardholder data, as well as performing transactions, needs to be performed in a secure information security environment with the correct controls in place to minimize risks. Learn whether your systems are PCI DSS compliant with specialized testing from AWA.
We make the process easier by offering a range of assessments and advisory services tailored to your business framework. With a PCI DSS Assessment, you can minimize risks, identify security vulnerabilities, and further protect cardholder data from breaches. Reach out to AWA and I.S. Partners by filling out the contact form below.