The long-awaited latest iteration of the Payment Card Industry (PCI) Data Security Standard (DSS) is here!
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a regulatory requirement for any organization that accepts payment card transactions. It’s a governing standard designed to reduce payment card fraud by increasing controls.
PCI DSS provides an important baseline that establishes clear technical and governance structures, and it also increases customer confidence that organizations are protecting their credit and debit card data. Overall, though, it aims to reduce the likelihood and potential costs of a data breach.
What are the key changes from PCI DSS 3.2.1 to PCI DSS 4.0?
Launched on 31 March 2022, version 4.0 of the PCI DSS contains several critical (and exciting!) changes to its predecessor (DSS v3.2.1 – released in May 2018).
Key changes as highlighted in the PCI DSS v4.0 at a Glance document can be summarised as follows:
Organizations must meet the evolving security needs of the payments industry
Organizations must continue to iterate and improve their security practices in response to the emerging and developing threat landscape.
Some examples of increased security practices within version 4.0 of the DSS include:
- Expanded multi-factor authentication (MFA) requirements.
- Updated password requirements (no more changing passwords every 90 days!).
- New e-commerce and phishing requirements to address ongoing threats (such as MageCart-type attacks).
Promote security as a continuous process
Since the release of DSS v3.2, organizations have been required to ensure that security practices are embedded within business-as-usual activities to ensure that security is a cultural and not a ‘tick box’ annual consideration. As with all compliance programs, it is important that activities are proactive in reducing risk opposed to the typically reactive nature of security compliance programs.
As we’ve seen throughout the recent pandemic and the upsurge in consumer card and e-commerce fraud, criminals never sleep and making sure compliance is embedded into an organization’s daily activities – and not simply a once-a-year activity – is crucial to protect payment data.
Some examples of a more continuous approach within version 4.0 of the DSS include:
- Clearly assigned roles and responsibilities for each DSS requirement.
- Added guidance to help people better understand how to implement and maintain security.
- An option to add further clarification in the reporting template to highlight areas for improvement and provide more transparency for report reviewers.
Increase flexibility for organizations using different methods to achieve security objectives
It is not uncommon when consulting with or assessing organizations for PCI DSS compliance to uncover requirements implemented for the sole purpose of achieving or maintaining DSS compliance. SureCloud’s QSA team often hears statements such as “the control is only there because that’s what the PCI DSS says.” It should be no surprise that such organizations frequently struggle to implement and maintain such controls appropriately.
By adopting more of a risk-based approach and increasing the flexibility for organizations to secure their environments with controls designed around their business, based on the specific threats they face, merchants and service providers have more options to meet a DSS requirement’s security objective. Of course, such flexibility also supports payment technology innovation.
Some examples of increased flexibility within version 4.0 of the DSS include:
- Allowance of group, shared, and generic accounts.
- Targeted risk analysis empowers organizations to establish frequencies for performing certain activities.
- A ‘customized’ approach to implement and validate PCI DSS requirements, providing another option for organizations using innovative or tailored methods to achieve security objectives.
Enhanced validation methods and procedures
Many organizations have struggled with PCI DSS validation efforts, often related to the disparate assessment and reporting tools employed across self-assessing and externally-audited entities. This position is improved through adapted validation and reporting options designed to support transparency and granularity for all merchant and service providers.
For example, the new validation tools will increase alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance which will help organizations to keep visibility and monitoring of their compliance activities.
Transition period
As with any major release of a standard, DSS v3.2.1 will have a two-year sunset period to give organizations plenty of time to undertake any necessary control changes and transition to PCI DSS v4.0 by 31 March 2024.
Source: PCI DSS v4.0 at a Glance
Implementation of new requirements
In addition to the transition period outlined above, organizations will also have an additional year following the transition from v3.2.1 to v4.0 to implement new requirements initially identified within DSS v4.0 as best practice. After 31 March 2025, these requirements will be effective and must be fully considered as part of a DSS assessment.
What about your QSA?
As for QSA companies, QSAs will be required to undertake additional training to demonstrate their understanding of the new requirements and their appropriate implementation.
With differences of opinion on the implementation of PCI DSS requirements a long-standing issue within the QSA community, the newly structured ‘security intent’ of the DSS requirements aims to drive a better relationship between organizations and their QSA, whereby QSAs will be required to understand the intricacies of organizations CDE with the ability to achieve and maintain compliance using ‘customized validations’.
What steps can I take to streamline compliance activities?
As mentioned above, it is important for organizations to align and streamline their approach to achieving and maintaining compliance – and PCI DSS is no different. With the changes introduced within v4.0 of the DSS, organizations can benefit from more of a risk-based approach that will enable them to maximise the cost-effectiveness of their compliance program among other things.
Some helpful tips include:
1. Set the right foundations
The release of v4.0 brings with it an excellent opportunity to ensure the scope of your cardholder data environment (CDE) is accurate and well-defined. With some significant changes in the management of PCI DSS compliance, it is also a good opportunity to consider engaging a QSA for independent validation and support with understanding your transition path.
2. Keep abreast of changes
Now that the new version of the DSS is available, make sure you review it and keep apprised of further clarifications that are likely to come. It also serves as a great opportunity to increase awareness of compliance changes with business stakeholders so that you can plan efficiently and assign relevant budgets.
3. Update and/or align your compliance program!
PCI DSS mustn’t be a ‘bolt-on’ to your existing compliance program – it should be an embedded part of your overall compliance program and managed in a simple, cost-effective, and sustainable way. It is recommended that you review the detailed ‘Summary of Changes’ document (linked below) and assess the impact of any changes in version 4 requirements that affect your CDE.
Where can I find out more?
You can find more information about the release within the PCI SSC’s PCI DSS v4.0 Resource Hub.
For those more familiar with the DSS, one of the key resources is the PCI SSC’s Summary of Changes document, which contains a detailed explanation of the changes from PCI DSS v3.2.1 to v4.0.