PCI DSS 4.0 is here. Are you ready for the new security requirements?
by Anastasios Arampatzis
The pandemic together with the evolution of digital technologies led people and organizations to use extensively payment cards for e-commerce, exploding online transactions worldwide. PCI DSS, the standard which defines how the card owners’ sensitive data are protected and stored seems to lag reality. Since its last release back in 2018, new technologies as cloud storage platforms but also new cybercriminal techniques have altered the threat landscape, making the revision of the standard a necessity to cope with all these changes.
As a result, the Payment Card Industry Security Standards Council (PCI SSC), which administers and manages PCI DSS, is about to publish the new version 4.0, having all changes incorporated. Everything seems to be ready to move to a higher level of security but is your company and organization ready to adapt to them smoothly?
The Standard
PCI DSS standard is developed and maintained by PCI SSC, an independent body created on September 2006 by Visa, MasterCard, American Express, Discover and JCB payment cards brands. Its role is to manage the evolution of PCI security standards, focused on the improvement of the payment account security throughout the transaction process.
In order to handle the recent explosion of online transactions and the evolution of new technologies related to online financial acts, the standard is to be upgraded from its current version 3.2.1 to the new version at the end of March 2022, as announced on a PCI SSC blog.
Timeline of the new version
The transition to the new version will not happen instantly. The two versions will coexist for two years, until 31 March 2024, when the old version will become inactive and void, giving organizations adequate time to familiarize themselves with the changes, and make adjustments to their systems to fully comply with the new requirements.
One year after the transition period (31 March 2025), there will be new requirements identified as best practices in v4.0 that organizations have to phase in, with no obligation to validate to them. On the 1st of April 2025, the new requirements must be in effect and considered part of PCI DSS assessment.
To help the transition, the Standard and the Summary of Changes will be translated into several languages; additionally there will be training for Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs) to support PCI DSS v4.0 assessments, in June 2022.
A view inside v4.0
One of the major changes of the new version is that it focuses on the outcome of the applied security. In other words, the expression “must implement” is substituted with the “what the outcome is”. Stronger authentication requirements and expanded applicability of data encryption will be included. The new version of the standard moves compliance from an audit-driven, one-time event, to a continuous improvement process aimed at best securing payments.
The 12 core PCI DSS requirements will not change drastically, as they form the foundation grid for securing payment card data. As mentioned before, requirements will be outcome-based statements focused on the security result. Top level requirements are that the standard will continue to serve the needs of the payment industry as far as security is concerned; flexible to incorporate additional methodologies as long as they promote security, in an environment where security is continuously promoted through enhanced validation procedures.
The new version generally maintains the prescribed compliance method, but also allows the creation of exclusive security controls, in order to comply with the standards’ requirements through customized implementation. This process gives organizations freedom to generate their own optimal solutions to achieve compliance. Special consideration regarding cloud and serverless workloads security is expected.
Encryption will be a factor of major concern in v4.0. As early SSL/TLS encryption protocols have been removed from cardholder data environments as not secure, and new cyber threats thrive, PCI DSS v4.0 will include more secure requirements, such as the broader applicability for encrypting cardholder data on trusted networks, and the frequent data discovery methodology to locate all sources and locations of cleartext PAN (primary account numbers).
PCI SSC v4.0 will employ stronger authentication standards to payment and control process access log-ins. The Council partnered with Europay, Mastercard, and Visa to implement the use of 3DS Core Security Standard during transaction authorization, and will be aligned with the NIST guidance in Digital Identities. Multifactor authentication for every account accessing cardholder data, frequent change of strong 15 alphanumeric character passwords, and frequent review of access privileges are some of the new requirements. Furthermore, the standard will allow organizations to build their unique authentication solutions to meet the data security regulatory requirements.
There are likely to be more risk-based approaches; the new version is expected to update the risk assessment process to provide bigger clarity and guidance for the organization. Finally, Designated Entities Supplemental Validation (DESV) requirements may be mandatory for organizations to achieve compliance.
Things you have to do
PCI DSS v4.0 is on the way and sets the bar higher than its predecessor; it will give your organization more flexibility but will have security stringent requirements. Your organization will be free to select and implement solutions, as long as the intended outcome of specific PCI DSS objectives is achieved. If you want to learn more, or need an audit from one of our experts to ensure compliance, contact ADACOM.