When the 2019 PCI North America Community Meeting conference attendees weren’t distracted by the beautiful views of Vancouver Harbour, all of the buzz was about PCI 4.0
Note: the PCI Security Standards Council released more information about in October 2019 during a request for comments (RFC) period.
According to Emma Sutcliffe, Global Head of Standards at PCI, “The draft of PCI DSS v4.0 addresses feedback received during the 2017 RFC and reflects changes in payment environments and security technologies. The updates made to the standard focus on strengthening security and adding flexibility.”
PCI participants can expect the 12 core requirements of PCI to remain intact and relatively unchanged; however, several new requirements will be introduced to reinforce payment card security as a continuous process further. We also learned that PCI DSS requirements will also be redesigned with flexibility in mind; focusing on security objectives and allowing organizations to use varying approved methodologies to meet the intent of the requirements. Sutcliffe expanded on the requirements redesign to focus on security objectives, by stating that – “with PCI 4.0, the Council is evolving the PCI DSS to support a range of evolving payment environments, technologies, and methodologies for achieving security. The requirements will be written as outcome-based statements, focused on the implementation of security control as the end result.”
While traditional methods for validating PCI DSS will remain intact with version PCI 4.0, the new “customized validation” option will offer organizations additional flexibility in demonstrating attainment of the security intent of each PCI DSS requirement. To some PCI veterans, this may seem like a fancy new term for compensating controls, which isn’t entirely correct or incorrect. Compensating controls, historically, have required a business or technical justification for meeting a given PCI DSS requirement. Because the PCI DSS requirements are undergoing a redesign to be more outcomes-based, these justifications will not be required for entities needing to meet one or many requirements through customized validation. Due to this shift, compensating controls will be removed from the draft version of the 4.0 standard that will be released for the October RFC. PCI will also make a sample of the reporting template for customized validation available during the RFC.
PCI DSS 4.0 may offer more flexibility, but organizations should not expect a decline in the amount of work required to demonstrate compliance. With new requirements around PCI DSS scope verification, password management, risk assessment, and an emphasis on third party risk (83% of organizations identified key risks with their third party providers after conducting due diligence according to a recent Gartner Study). 4.0 will no doubt, be the most rigorous security standard issued by the PCI Security Standards Council yet.
If your organization is still relying on spreadsheets, email, and file share systems to coordinate PCI-related efforts, it might be time to see how SureCloud can help you achieve PCI compliance in a fraction of the time and effort spent today.
SureCloud is a provider of cloud-based, Integrated Risk Management products, which reinvent the way organisations manage risk. SureCloud’s products and services are underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to support existing business processes without forcing organisations to engage in costly business change programmes. SureCloud has been recognised in the 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions.