For companies that transmit payment card information from consumers, the Payment Card Industry Data Security Standard (PCI DSS) provides the most comprehensive information security standards.
That is because the PCI Security Standards Council is continually reviewing how the industry operates and looking for ways to improve it. Specifically, it is concerned with enhancing how businesses handle the development, storage, dissemination, and security of data. PCI DSS occasionally issues new updates for organizations to improve their practices in these areas and ensure they remain compliant.
The next version of the Payment Card Industry Data Security Standards is scheduled for release early next year. It might be too soon to know what will change when PCI DSS Version 4.0 is released, but we can look for clues in the PCI Council’s blogs and feedback reports from industry sources who have reviewed early drafts.
Goals for PCI DSS v4.0
Based on the feedback received, PCI SSC evaluates how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape. PCI SSC is also looking to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.
These are some of the high-level goals for PCI DSS v4.0:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
Industry feedback is shaping the next major release of PCI DSS
An initial request for comment (RFC) went out to the industry between October and December 2019. The RFC generated over 3,000 responses. An additional RFC, which included an updated draft of PCI DSS Version 4.0, was sent in October 2020. PCI SSC is targeting a Q1 2022 publication date for PCI DSS v4.0.
Some of the specific areas that stakeholders asked PCI SSC to review include:
- Authentication, specifically consideration for the NIST MFA/password guidance
- Broader applicability for encrypting cardholder data on trusted networks
- Monitoring requirements to consider technology advancement
As part of the RFC process, all feedback received will be reviewed and considered in the development of the standard.
Key Changes to Anticipate with PCI DSS 4.0
1 Flexibility: Customized implementation to meet the intent of security controls
That is probably the most significant change that will come into place when PCI DSS 4.0 is released next year. The 12 requirements will shift to focus on the main security objectives reviewed in the RFCs.
The new, customized validation approach will sharply define the security outcomes linked to each requirement. With PCI DSS 4.0, organizations will have the ability to choose to perform the control as prescribed or opt for customized implementation. With customized implementation, organizations can comply by showing that they met the intent of the requirement without needing to provide an operational or technical justification.
That change will allow businesses more flexibility in modifying their implementation procedures and meeting the intent of the requirement. To verify the effectiveness, external evaluators must review the documentation and thoroughly test each control with a custom implementation.
2 Security: More stringent requirements
The ultimate goal of PCI DSS continues to be ensuring that all sellers safely and securely store, process, and transmit cardholder data. It is fair to assume that PCI DSS 4.0 will set the bar higher and build on the assurance of PCI-DSS v3.2.1. In addition to restructuring many of the requirements, the Summary of Changes will likely include strengthened security standards. Top management, including CISOs and CTOs, should prepare to adjust budgets to allocate capital and operational funds to implement the new requirements.
3 Authentication: A focus on NIST Password Guidance & MFA
National Institute of Standards and Technology (NIST) Password Guidance moves to the forefront in this new version. The PCI SSC places more focus on applying stronger authentication standards to payment and control process access log-ins. It has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization.
4 Monitoring: Technology advancement requirements
There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology evolves rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. Adopting these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.