By Craig Moores, SureCloud’s Risk Advisory Practice Director
Compliance professionals around the world are eagerly awaiting more information about the PCI Security Standards Council’s updates to PCI DSS, version 4.0, following the release of its draft for comment in October 2019.
Whilst the 12 high-level requirements are expected to remain largely the same, sub-requirements have been reviewed and re-focused on the security objective or “intent” of each requirement and result in outcome-based statements. The benefit? Organisations can follow a structured approach to demonstrating how their security controls meet the required intent.
The final version of the DSS is expected to focus on addressing the evolving threats to the payment ecosystem, how these threats have changed over time and advancements in technologies, such as next-generation network and endpoint detection – thus far, these appear to have been considered within the draft.
So, what does all this mean for businesses that need to be compliant?
Keeping abreast of the evolving threat landscape and understanding new technologies are longstanding business challenges which PCI DSS 4.0 is really foregrounding. Greater flexibility and a shift to focusing on intent rather than providing rigid instructions for each security control is a positive move – but one which requires organisations to have a thorough knowledge of the threat landscape and the potential impact of different security controls and processes to their environment.
Organisations must evolve their compliance programmes to accommodate new changes in the DSS and need to ensure that these are integrated and embedded in business processes, rather than disjointed and discrete activities for compliance sake.
However, PCI DSS 4.0 also offers the opportunity to build increased security and risk awareness in order to gain a better understanding of the security posture of their business operations, including how these support the overall business objectives, and to implement security controls which form a more effective security culture.
So far, there has been little information released by the PCI SSC in terms of timelines, with the only communicated dates relating to RFC and a public release anticipated December 2020.