What to Expect from PCI DSS V4.0 and Beyond
By Craig Moores, SureCloud’s Risk Advisory Practice Director
Following the release of the Payment Card Industry (PCI) Security Standards Council’s draft for comment on its Data Security Standard (DSS), version 4.0 (PCI DSS V4.0) in October 2019, compliance professionals around the world are eagerly awaiting more information
The most common questions we’re getting on PCI DSS V4.0 are:
- What key changes are coming?
- What is the planned timeline?
- How can organisations best navigate those changes?
Key takeaways from the PCI DSS v4.0 draft
Flexibility
Whilst the 12 high-level requirements of PCI DSS are expected to remain largely the same, sub-requirements have been reviewed and re-focused on the security objective or “intent” of each requirement and result in outcome-based statements. The benefit? Organisations can follow a structured approach to demonstrating how their security controls meet the required intent.
Security
The final version of the PCI DSS is expected to focus on addressing the evolving threats to the payment ecosystem, how these threats have changed over time and advancements in technologies, such as next-generation network and endpoint detection – thus far, these appear to have been considered within the draft.
General
- Plenty of updated terminology.
- Changes to the organisation and structure of sub-requirements to provide a more logical approach.
- More closely aligned with NIST which creates more flexibility within the Standard to help organisations to embed security practices.
Challenges and Opportunities
So, what does all this mean for businesses that need to be compliant?
Keeping abreast of the evolving threat landscape and understanding new technologies are longstanding business challenges which PCI DSS 4.0 is really foregrounding. Greater flexibility and a shift to focusing on intent rather than providing rigid instructions for each security control is a positive move – but one which requires organisations to have a thorough knowledge of the threat landscape and the potential impact of different security controls and processes to their environment.
Organisations must evolve their compliance programmes to accommodate new changes in the PCI DSS and need to ensure that these are integrated and embedded in business processes, rather than disjointed and discrete activities for compliance sake.
However, PCI DSS 4.0 also offers the opportunity to build increased security and risk awareness in order to gain a better understanding of the security posture of their business operations, including how these support the overall business objectives, and to implement security controls which form a more effective security culture.
Where do we go from here?
So far, there has been little information released by the PCI SSC in terms of timelines, with the only communicated dates relating to RFC and a public release anticipated December 2020.
SureCloud’s 3 key tips for organisations:
- Watch out for initial releases of the new version of the PCI DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider. The earlier businesses can prepare for change, the better.
- Ensure that the scope of the cardholder data environment is accurate; this is the foundation for obtaining and maintaining PCI compliance. Over time, business objectives change and it can be easy to omit systems and services from the scope. Changes to PCI DSS are a great opportunity to review the scope of the CDE and ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.
- Assess the impact of any changes in requirements that affect your CDE and how these impact your individual compliance position. From there, businesses can proactively update their compliance programmes – with the help of third parties like SureCloud of course! Remember, with a focus on embedding security, PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE.
