Payment Card Industry Data Security Standard (PCI DSS) v4.0

PCI DSS v3.2 officially retired on January 1, 2019 making version 3.2.1 effective going forward. If you are a PCI DSS Merchant at Level 1, or Levels 2, 3, 4, you will be affected by the new framework of compliance standards formally known as PCI DSS v4.0. Version 4.0 is expected to become effective in late calendar year 2020 paving the way for retirement of version 3.2.1. 

While the final draft of v4.0 has not been released we do know elements that will be addressed. The PCI Security Standards Council? has identified the following high-level “goals” for v4.0:

·        Ensure the standard continues to meet the security needs of the payments industry

·        Add flexibility and support of additional methodologies to achieve security

·        Promote security as a continuous process

·        Enhance validation methods and procedures

Continuous compliance.  Foremost, expectations are there will be emphasis placed upon continuous compliance. Often, organizations view PCI DSS compliance to be a once per year event during the required annual compliance audit. The Payment Card Industry Security Standards Council (PCI SSC) will likely require more frequent and demonstrated checks on compliance. The organization will demonstrate and document compliance throughout the course of the PCI DSS calendar year. While this concept carries forward from PCI DSS v3.1, it is thought that demonstrated compliance via documentation will play a greater role.

Passwords and multi-factor authentication. The National Institute of Standards and Technology (NIST) in recent past has placed less focus on traditional user Identification and passwords to instead place greater emphasis on multi-factor authentication. While the requirement is in place for administrative and remote access already, The PCI SSC is looking to further security at the transaction level with EMV? Three-Domain Secure (3DS). This is simply a mechanism for the consumer to securely and effectively authenticate themselves at the transaction level with their card issuer effectively creating a multi-factor authentication. The PCI DSS business segment expected to be affected will be the card-not-present e-commerce entities.

Outcome-based Requirements. Previously, the Requirements of PCI DSS have always looked at what the method and mechanism of implemented security controls involve. Looking forward projections indicate the more appropriate usage of process-based outcome model to achieve the required security outcome. Methods and mechanisms can miss the outcome in some organizations acknowledging the rapid development of technology. Consider the cloud. By focusing on the required outcome, the PCI SSC will effectively address each organization allowing the flexibility in deployment providing the required security control is met or exceeded. This flexibility may cause the need for additional staff training or retained advisors to assure compliance is still met.

PCI DSS v4.0 is not a released standard as yet, but it is well-along the managed cycle toward deployment. It is advisable to obtain a copy of the v4.0 standard as soon as it is available. Understand how the standard then applies to your organization and orchestrate the transition well in advance to ensure continuous compliance and maintain your ability to continue card-based transactions.

Brian Kunick, CISSP, HCISPP, ISSMP, CGEIT, CISM, MCSE, MCSA, Security+

Brian is a Managing Partner at Digital Assurance Advisors LLC (DAA). DAA specializes in all complexities of security, GRC and privacy within every size organization throughout the United States. DigAssurance.com