The fourth version of the PCI DSS is due to be released in mid-2021. Here’s what you need to know about this next iteration of the standard.
What is the PCI DSS?
The PCI DSS is a minimum set of requirements designed to help organisations protect customer cardholder data, minimise fraud, plus prevent, detect and respond to cyber-attacks.
All organisations that accept and/or process credit card payments are required to undertake an annual PCI DSS audit of security controls and processes, covering areas of data security such as retention, encryption, physical security, authentication and access management.
Version 3.2 of the PCI DSS was introduced in 2016. A minor update, version 3.2.1, has been in effect since May 2018.
PCI DSS 4.0: why is an updated standard needed?
Since version 3.2 of the PCI DSS was introduced, the technology used by organisations to accept and process card payments has evolved rapidly. During this same period, we’ve also witnessed huge advancements in the capabilities of cybercriminals, with new threats emerging to exploit weaknesses within payment systems and processes. PCI DSS 4.0 will help organisations to ensure data security controls remain effective in a shifting landscape.
Contactless payments, including those processed by merchants using commercial off the shelf (COTS) mobile phones and tablets, is a key recent advancement that is creating new security risks. Rising cloud adoption, new software development practices, and an increasing dependency on third parties in the payment process are also trends that the PCI DSS has to adapt to in order to avoid becoming outdated.
The need for third party security assurance in the payments industry is particularly important given the rise of Open Banking, being driven in Europe by the Payment Services Directive (PSD2).
COVID-19 has also created additional challenges for organisations which are likely to have an impact on the development of version 4.0 of the standard.
PCI compliance challenges
Despite growing cyber security risks, compliance with the Payment Card Industry Data Security Standard (PCI DSS) declined between 2017 and 2020, according to the Verizon Business 2020 Payment Security Report.
The report shows that, on average, only 27.9% of global organizations maintained full compliance with the PCI DSS – a decrease of more than 27% since a peak in 2016.
The Verizon report also states that only half of the assessed organisations are successful in testing security systems and processes and unmonitored system access. It also highlights that just two-thirds effectively monitor access to business-critical systems while only 71% of financial institutions maintain essential perimeter security controls.
Key objectives of PCI DSS 4.0
The core goals of the updated standard will be to:
• Continue to provide the critical foundation for securing payment data
• Promote security as an ongoing process
• Improve flexibility for organisations using a wide range of methods and technologies
How will PCI 4.0 differ from 3.2?
The 12 PCI DSS requirements outlined in version 3.2 are not expected to fundamentally change with the introduction of PCI DSS 4.0. It is most likely however, that the new version of the standard, will introduce a number of updates and supplementary requirements.
Feedback to inform changes to the PCI DSS was sought by the PCI Council through its Request for Comments (RFC) process which is now complete. The council has stated that this process attracted the highest level of feedback it has ever received in relation to any standard or subject.
Areas likely to be updated in PCI DSS 4.0 include:
There may be changes to reflect the latest NIST password and multi-factor authentication guidance.
There are likely to be broader requirements for encrypting cardholder data on trusted networks.
The requirement to monitor the cardholder data environment may be updated to reflect advancements in technology, such as the availability of next-gen network and endpoint detection tools.
Critical controls may need to be assessed more frequently, with additional requirements from the Designated Entities Supplemental Validation likely to be mandated a regular PCI DSS requirement.
A ‘customised approach’ to PCI compliance
PCI DSS 4.0 will include the new concept: a “customised approach” to compliance. This is aimed at giving organisations more flexibility to outline their network security methods and how they comply with the PCI standard.
The new approach allows organisations with modern security methods to document and rewrite how their systems can be tested to make sure that they meet the latest requirements.
When will PCI DSS 4.0 come into effect?
PCI DSS 4.0 is not expected to be ready until mid-2021. In the meantime, the PCI Council has published updates to several existing standards. These include guidance around Point-to-Point Encryption and PIN Transaction Security Point-of-Interaction (PTS POI) standards and a new Annex for the Software-based PIN-entry on COTS (SPOC) standard.
Compliance with v4.0 will not be required until two years after its publication date. Once PCI DSS v4.0 is released, an extended transition period will allow organisations to move to the updated standard. In support of this, PCI DSS v3.2.1 will be active for 18 months after all PCI DSS v4.0 materials are released. When this transition period is complete, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version.
Support with PCI compliance
Whether your organisation is working towards current compliance standards or hoping to prepare for upcoming ones, Redscan can help you to meet them.
Our specialist services supporting PCI DSS compliance include: