Decoding the evolving world of Payment Card Data Security Standard (PCI DSS 4.0)
Appreciating the Present by looking back in Time
Much has changed since the first release of the Payment Card Data Security Standard (PCI DSS) in December 2004 by the PCI Security Standards Council (PCI SSC) backed by its five founding members from American Express, Discover Financial Services, JCB International, Mastercard and Visa.
The standard has since evolved with the times, moving to version 2.0, 3.0 up until v3.2.1. We’ve also seen UnionPay joining PCI SSC as a Strategic Member last November 2020.
New Kid on the Block
I can still recall the goosebumps I felt when Thanos was about to snap his fingers to wipe out 50% of the entire population while saying “I am inevitable” only to be countered with the words “and I am Iron Man.”
Similarly in the world we live in today, change is also inevitable. With the constant and fast changing technological environment and threat landscape, it is also of utmost importance that the counter-measures and security frameworks keep up the pace. This is the reason why PCI DSS 4.0 was issued by the PCI SSC last 31st March 2022. While PCI DSS v4.0 is obviously not Iron Man, it has paved the way to a new and improved data security standard meant to be more relevant to the current times.
What Happens Now?
With v4.0 now live, does it mean good bye now to v3.2.1? Not so fast!
As change is not always an easy thing, PCI SSC has laid out a transition timeline (see link below) to manage the change. At the moment, two versions for PCI DSS are live – v3.2.1 and v4.0. The retirement of v.3.2.1 will happen by 31st March 2024. It is also worth noting that those future dated controls in PCI DSS v4.0 will stop being “best practice” and become a full fledged control requirement after 31st March 2025.
What’s New?
There were many changes in v4.0 – ranging from total overhaul to quality of life changes and even minor corrections and formatting. PCI SSC has provided a detailed summary of these changes for those who’d like to see the full change log (see link below).
Here are key changes that I feel could have significant impact to how assessments are done (either by a QSA or ISA) and how compliance can be achieved in general:
1. Customized Approach – For context, all the default PCI DSS requirements are considered “Defined Approach.” Version 4.0 now allows the entity to define their own “Customized Approach” as an alternative to this. As defined in Appendix D of the ROC “this approach is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”
It means that entities in more mature environments can define their own approach to address certain PCI requirements. However, it is worth noting that this is a more tedious path for both the assessed entity and the assessor. At a minimum, each customized control requires (to name a few):
a. The entity implementing a customized approach to -
b. The assessor performing an assessment of customized controls to -???????????
2. Partial Assessment – Aside from “Full Assessment”, we can also now indicate “Partial Assessment” under Section 1.7 Overall Assessment Result of the ROC. This is applicable when “one or more requirements have not been assessed and were therefore marked as Not Tested”
This information on the ROC allows for more transparency from the readers of the report and also grants clarity as to which areas the assessor did not provide an opinion of compliance.
领英推荐
3. In Place with Remediation – This is a new option from the list of possible assessment findings. This means that the requirement was Not in Place at some point during the PCI DSS assessment period of the entity, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment.
This new assessment finding gives more context to an assessed entity’s compliance status. It allows the readers of the report to make more informed decision taking into account the nature of the compliance status.
Remote Assessments
In addition to the above, there is one more I want to highlight for v4.0.
With the COVID-19 causing chaos all around the world, it forced a major shift in doing work from on-site to work from home. PCI assessments were not spared from this and while the council has released an Addendum for ROC/ROV on Remote Assessments to allow transparency on remote work done and the results thereof. This can now be found in section 1.3 Remote Assessment Activities of v4.0.
Braving 2022 and Beyond
Change is always constant and as Cybersecurity Professionals, it is our duty to keep abreast of everything new within our field.
With several Cybersecurity best practice frameworks available now, it is also imperative that the payment card industry data security standard shares a common goal of enhancing data centric security in line with other well recognized cybersecurity frameworks like NIST CSF and ISO 27001. On the previous iteration of the standard that is v3.2.1, PCI SSC had developed a mapping document between PCI DSS and NIST to provide a resource for stakeholders to use in understanding how to align security efforts to meet both PCI and NIST frameworks. It may not be long before a similar document would be available for v4.0.
Lastly, working with the right partner or assessor that is knowledgeable, experienced and pragmatic is one of the key factors to ensuring organization’s cybersecurity program.
Public References
PCI SSC Document Library:
Transition Timeline:
Summary of Changes:
PCI DSS Mapping to NIST:
?