Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Compliance Management, Cyber Security

What to Expect from PCI DSS V4.0 and Beyond

What to Expect from PCI DSS V4.0 and Beyond
Written by

Craig Moores

Published on

30 Oct 2020

What to Expect from PCI DSS V4.0 and Beyond

 
 

Following the release of the Payment Card Industry (PCI) Security Standards Council’s draft for comment on its Data Security Standard (DSS), version 4.0 (PCI DSS V4.0) in October 2019, compliance professionals around the world are eagerly awaiting more information

 

The most common questions we’re getting on PCI DSS V4.0 are:

  • What key changes are coming?
  • What is the planned timeline?
  • How can organisations best navigate those changes?

 

Key takeaways from the PCI DSS v4.0 draft

 

Flexibility

Whilst the 12 high-level requirements of PCI DSS are expected to remain largely the same, sub-requirements have been reviewed and re-focused on the security objective or “intent” of each requirement and result in outcome-based statements. The benefit? Organisations can follow a structured approach to demonstrating how their security controls meet the required intent.

Security

The final version of the PCI DSS is expected to focus on addressing the evolving threats to the payment ecosystem, how these threats have changed over time and advancements in technologies, such as next-generation network and endpoint detection – thus far, these appear to have been considered within the draft.

General

  • Plenty of updated terminology.
  • Changes to the organisation and structure of sub-requirements to provide a more logical approach.
  • More closely aligned with NIST which creates more flexibility within the Standard to help organisations to embed security practices.

 

Challenges and Opportunities

So, what does all this mean for businesses that need to be compliant?

Keeping abreast of the evolving threat landscape and understanding new technologies are longstanding business challenges which PCI DSS 4.0 is really foregrounding. Greater flexibility and a shift to focusing on intent rather than providing rigid instructions for each security control is a positive move – but one which requires organisations to have a thorough knowledge of the threat landscape and the potential impact of different security controls and processes to their environment.

Organisations must evolve their compliance programmes to accommodate new changes in the PCI DSS and need to ensure that these are integrated and embedded in business processes, rather than disjointed and discrete activities for compliance sake.

However, PCI DSS 4.0 also offers the opportunity to build increased security and risk awareness in order to gain a better understanding of the security posture of their business operations, including how these support the overall business objectives, and to implement security controls which form a more effective security culture.

 

Where do we go from here?

So far, there has been little information released by the PCI SSC in terms of timelines, with the only communicated dates relating to RFC and a public release anticipated December 2020.

 

SureCloud’s 3 key tips for organisations:

  1. Watch out for initial releases of the new version of the PCI DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider. The earlier businesses can prepare for change, the better.

 

  1. Ensure that the scope of the cardholder data environment is accurate; this is the foundation for obtaining and maintaining PCI compliance. Over time, business objectives change and it can be easy to omit systems and services from the scope. Changes to PCI DSS are a great opportunity to review the scope of the CDE and ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.

 

  1. Assess the impact of any changes in requirements that affect your CDE and how these impact your individual compliance position. From there, businesses can proactively update their compliance programmes – with the help of third parties like SureCloud of course! Remember, with a focus on embedding security, PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE.

I’ll be giving my thoughts on how organisations can achieve a PCI programme that’s aligned to their business objectives at PCI London, or you can watch a more in-depth analysis on SureCloud’s webinar channel.– We hope to “see” you there!