What to Expect from PCI DSS v4.0

At CampusGuard, we are not sure what has been more highly anticipated, the release of Frozen 2 or the release of PCI DSS v4.0. Fortunately, we don’t have to wait too much longer for either! The draft update to the Payment Card Industry Data Security Standard, PCI DSS v4.0, is currently in the Request for Comments (RFC) process, where participating stakeholders, including Qualified Security Assessors and Approved Scanning Vendors like CampusGuard, can provide comments and feedback to help steer the final updates. The RFC period runs from October 28 to December 13, 2019.

Following the RFC period (and potentially another), the PCI Security Standards Council (PCI SSC) will continue to review and finalize the latest version, most likely making more adjustments to the requirements before the standard is finalized and released publicly sometime late 2020. As we have seen with other version releases, there will most likely be a grace period in which organizations can attest using the current version (v3.2.1) while they address any new or changed requirements they are now not meeting. You should plan, however, to attest using the new version during the following compliance cycle.

When the PCI DSS was initial introduced (December 2004), it was designed to provide a common set of controls that would reduce consumer fraud and protect sensitive cardholder information. It only makes sense that, as risks and threats to payment data are continuously evolving at a rapid pace, the DSS should also be evolving to help organizations adequately secure their payment environments.

According to the PCI SSC, the priorities for PCI DSS v4.0 include strengthening security and adding flexibility. The new standard will include:

• New requirements: New and revised requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process
• New focus on security objectives: Requirements and validation options are redesigned to focus on security objectives to support organizations using different methodologies to meet the intent of PCI DSS requirements.

With this focus on security objectives, the 12 core requirements will remain fundamentally the same, but many of the requirements will now be written as outcome-based statements focused on implementation of the security control as the end result. Wording might simply change from what must be implemented to what the resulting outcome should be. Intent statements are also being added to help clarify what needs to be achieved, with more flexibility as to how the organization actually achieves that outcome.

From what we have learned from the Council and presentations at this year’s PCI Community Meeting in Vancouver, a few examples of the proposed draft requirements include:

• Revisions to requirements around passwords to accommodate different authentication options and align more closely with the NIST MFA/password guidance (NIST SP 800-63).
• Broader applicability and best practices for encrypting cardholder data on trusted networks. With cyber threats becoming more prevalent, especially within ecommerce environments (ahem…Macy’s data breach last week), the need to keep cardholder data secure during transmission is critical.
• Monitoring requirements to now take into account recent advancements in technology, including next generation network and endpoint detection tools. Requirements will also be more accommodating for services like cloud hosting, which we see more and more merchants moving towards.
• Greater testing frequency for critical controls, potentially incorporating requirements from the Designated Entities Supplemental Validation (DESV) that are typically only required for organizations that process large volumes of payment data or have experienced a data breach. The DESV was created to help ensure ongoing compliance and security throughout the year, and build practices into the organization’s “business as usual” so including some of these requirements in the full PCI DSS makes good sense. (Note: If you need any more proof why this is important, check out Verizon’s recent Payment Card Security Report, in which over 50% of organizations that attested PCI compliance failed to pass their compliance status halfway through the year.)
• New requirements asking organizations to verify their PCI DSS scope, and ensure accuracy and completeness of their cardholder data environment (CDE).
• Updates to the annual risk assessment requirement to provide greater clarity and guidance, and help organizations come out of their assessments with a more useful risk analysis.
• Additions to security awareness training requirements for end users to include best practices for preventing phishing and social engineering. (Note: According to the 2019 Verizon Data Breach Investigations Report, phishing was the primary weapon in almost a third of all data breaches…ongoing employee awareness is key!)
• Additional requirements for service providers (and how you monitor them). Did you know that third-party involvement increases the overall cost of a data breach per record by 10%?

Finally, one of the most significant updates to PCI DSS v4.0 is the increased flexibility in how organizations report their compliance status to their acquiring banks and an alternative method for doing so. Organizations will now have two options:

The first, the Defined Implementation Approach, is the traditional method in which organizations use the SAQs to assess and report their compliance. The second method, the Customized Implementation Approach, is more flexible but requires the organization demonstrate their understanding of the intent of each requirement and detail how existing security controls achieve the required end result. Similar to what we previously knew as compensating controls, this new method will be more for organizations who are using innovative technologies and have a mature cybersecurity program. However, unlike compensating controls, this customized validation will not require a business or technical justification for using alternative methods, as the requirements will now be outcome-based. Organizations can choose to report their compliance via one of these two options or use a blended approach in which they determine the appropriate method per requirement.

This update to the DSS is long overdue and we are very excited to review the proposed updates. Earlier this year we predicted an increased focus on ecommerce websites, additional requirements for third-party service providers, and more guidance regarding the transmission of cardholder data over networks like VoIP. As payment acceptance methods continue to evolve and we see new technologies (e.g. P2PE, contactless payments, increased cloud usage, Blockchain, etc.) and new software development practices, as well as new online skimming attack methods (e.g. Magecart), we expect the PCI DSS will continue to change and adapt in order to provide organizations with updated guidance on how best to protect their environments.

So far, it does seem that PCI DSS v4.0 will be a big step in the right direction. In previous articles, we have talked a lot about the 80/20 rule and how using a known framework (like the NIST Cybersecurity Framework) can help organizations meet approximately 80% of the necessary controls, but the other 20% will be specific to each individual data type and compliance requirement (i.e. PCI, GLBA, FERPA, HIPAA, GDPR, etc.). As the PCI DSS becomes less prescriptive and more flexible, we believe that this will help organizations not only meet the PCI compliance requirements but also allow more overlap of their information security programs.

Stay tuned for more updates regarding the PCI DSS v4.0. CampusGuard will continue to review the draft document and provide our guidance back to the PCI SSC, with another planned Request for Comments period slated for mid-year 2020. Because this document is still very much in draft stage, don’t worry about implementing any changes to your environments just yet. Your organization will continue to attest compliance using v3.2.1 until the updates are publicly released and a sunset date for v3.2.1 is set.

Please reach out to us if you have questions or want to discuss how to best focus your team’s efforts moving forward.

Below is some additional guidance from our Security Advisor Team:

[King]: As the DSS is reviewed and updated for a significant version release, understanding the impact on a merchant’s environment is foremost in mind for those merchants and the teams that support them. While the draft version was released in October, the standard is still under review and additional changes are expected. So, what can merchants do now to prepare for the update? Review current PCI efforts and ensure you are meeting all the current requirements for your environment. Close any gaps you find now to allow teams to focus on addressing the changes to the DSS once published. A team focused on PCI compliance with a formal management process in place now will increase the chances for a successful implementation of the PCI DSS 4.0 requirements once finalized.