The PCI Security Standards Council recently announced that planning has begun on the fourth major version of the PCI DSS. Here’s what you need to know about this next iteration of the standard.
What is the PCI DSS?
The PCI DSS is a minimum set of requirements designed to help organisations protect customer cardholder data, minimise fraud, plus prevent, detect and mitigate cyber-attacks and breaches.
All organisations that accept and/or process credit card payments are required to undertake an annual PCI DSS audit of security controls and processes, covering areas of data security such as retention, encryption, physical security, authentication and access management.
Version 3.2 of the PCI DSS was introduced in 2016. A minor update, version 3.2.1, has been in effect since 2018.
PCI DSS 4.0: why is an updated standard needed?
Since version 3.2 of the PCI DSS was introduced, the technology used by organisations to accept and process card payments has evolved rapidly. During this same period, we’ve also witnessed huge advancements in the capabilities of cybercriminals, with new threats emerging to exploit weaknesses within payment systems and processes. PCI DSS 4.0 will help organisations to ensure data security controls remain effective in a shifting landscape.
Developments around contactless payments, including those processed by merchants using commercial off the shelf (COTS) mobile phones and tablets, is a key example of a recent advancement that is creating new security risks.
Rising cloud adoption, new software development practices, and an increasing dependency on third parties in the payment process are also trends that the PCI DSS has to adapt to in order to avoid becoming outdated. The need for third party security assurance in the payments industry is particularly important given the rise of Open Banking, being driven in Europe by a revision to the Payment Services Directive (PSD2), which may see new payment methods being established.
How will PCI 4.0 differ from 3.2?
The 12 PCI DSS requirements outlined in version 3.2 are not expected to fundamentally change with the introduction of PCI DSS 4.0. Most likely however, the new version of the standard, will introduce a number of updates and supplementary requirements.
Feedback to inform changes to the PCI DSS is currently being sought by the PCI Council through its Request for Comments (RFC) process, with the next RFC period expected to open during the second half of 2019.
Areas likely to be updated in PCI DSS 4.0 include:
There may be changes to reflect the latest NIST password and multi-factor authentication guidance.
There are likely to be broader requirements for encrypting cardholder data on trusted networks.
The requirement to monitor the cardholder data environment may be updated to reflect advancements in technology, such as the availability of next-gen network and endpoint detection tools.
Critical controls may need to be assessed more frequently, with additional requirements from the Designated Entities Supplemental Validation likely to be mandated a regular PCI DSS requirement.
When will PCI DSS 4.0 come into effect?
PCI DSS 4.0 is not expected to be ready until late 2020. In the meantime, the PCI Council is likely to publish updates to several existing standards. These include guidance around Point-to-Point Encryption and PIN Transaction Security Point-of-Interaction (PTS POI) standards and a new Annex for the Software-based PIN-entry on COTS (SPOC) standard.
Three new PCI DSS standards are expected to be published by the end of the year. A new security standard for software development was published in January, with requirements relating to commercial off-the-shelf (COTS) devices and contactless mobile payments set to follow soon.
PCI DSS compliance solutions from Redscan
As a provider of managed security services, Redscan is experienced helping businesses meet the evolving requirements of the PCI DSS. Our specialist team of consultants deliver a wide range of PCI DSS services, including: