How to prepare for the new PCI DSS 4.0 requirements [Q&A]
The Payment Card Industry Data Security Standard (PCI DSS) turns 20 next year and has remained largely unchanged during that time. But version 4.0, due to become mandatory from April 2024, will bring the standard bang up-to-date and usher in a number of big changes.
We spoke to Phil Robinson, principal consultant and QSA at Prism Infosec, to explore what's changing and how organizations can prepare to meet the new requirements.
BN: When was PCI DSS 4.0 released and what's the timeline for compliance?
PR: The latest version was released in March 2022 at which point some of the changes were brought in with immediate effect. But the majority of organizations have until 31 March 2024 to comply (and in some limited cases, March 2025). There are 63 changes in all in version 4.0 which will replace version 3.2.1. Up until the deadline, both versions will continue to co-exist in order to give organizations the time to plan for and meet the new requirements.
BN: What are the main changes under PCI DSS 4.0?
PR: PCI DSS has continually been updated over the years but version 4.0 is notable because it sees a much more radical overhaul. Rather than being compliance-oriented where the goal is to pass the annual assessment, the emphasis is on putting in place processes that are outcome-based and seek to establish compliance as part and parcel of daily operations. This is a major departure from how PCI DSS was complied with previously and it's a philosophy that permeates the entire standard.
There are four main changes. Firstly, the terminology has been updated to reflect modern processing environments, which we'll come back to. Secondly, access and authentication requirements have been expanded with regards to the implementation of multi-factor authentication (MFA) now required across all accounts in the Cardholder Environment (CDE) and passwords. The latter sees PCI DSS brought into line with the NIST Digital Identity Guidelines, which requires passwords to have a minimum of 12 characters and to be changed annually or in the event of their compromise.
Thirdly, PCI DSS is now more flexible about how the organization chooses to comply. There are two approaches: defined or customized, which need not be mutually exclusive as its possible to use a combination of the two. The defined approach sees the organization follow the designated procedure but those opting for the customized approach can decide on the method of compliance that suits the business provided they meet the necessary outcomes, although an Internal Security Assessor (ISA) or a Qualified Security Assessor (QSA) will need to sign off the customized design. The customized approach will replace the need to provide compensating controls which those with atypical environments had to use before.
The last big change concerns how frequently controls should be reviewed. This will now be a risk-driven process, so if the risk is deemed low the organization may decide not to follow the advice to the letter with regards to updating passwords, for instance, provided it can demonstrate it has assessed the security of those accounts. Organizations are also free to devise their own authentication mechanisms to meet the requirements.
BN: How important are the new requirements and do they better accommodate the way businesses transact?
PR: The way in which we purchase has changed drastically over the past two decades. We've seen the introduction of Chip and PIN, payment processing engines such as Paypal and now mobile payment wallets and the IoT. Similarly, back office processes have also changed to allow payments to be faster and smoother, with many now processing in the cloud.
PCI DSS v4.0 recognises the way in which businesses transact has changed. It has amended the terminology accordingly to accommodate distributed network environments and the new control mechanisms associated with these, such as those being introduced under Zero Trust Network Architecture (ZTNA). In this respect, it's the PCI SSC have effectively future proofed the standard, allowing for up and coming security architectures and controls.
BN: What do service providers and merchants need to do to set about becoming compliant?
PR: PCI DSS applies to any company that process, transmit or store cardholder data, be that a service provider, or a high street retailer or online merchant. All such entities need to look at the application PCI DSS requirements, understand their route to compliance (whether they need to self certify or engage an assessor) and carry out a gap analysis.
They'll then need to look at which changes should take priority and there’s some really useful insights here from the PCI SSC's Prioritized Approach. This provides a six step process and guidance on the order in which the requirements should be tackled. It's easy to see that some of the changes will take longer to enact than others, so priorities for most will probably include encryption, building in controls to mitigate phishing attacks and any new access and authentication processes.
A key area to address will be Requirement 11. The Verizon Payment Security Report 2022 found the biggest control gaps were to be found here with respect to penetration testing, running internal and external scans on a quarterly basis, internal vulnerability scans, and inspecting firewall and router configurations.
Project planning the changes that need to happen before we get near the compliance deadline is therefore crucial but the organization also needs to get into the mindset of being 'audit ready'. Observing the controls on a daily basis will demonstrate that it is following the principles of the regulation by making compliance business as usual (BAU) and not just paying lip service.
BN: In your view, will the changes boost PCI DSS compliance going forward?
PR: Maintaining compliance has been an issue in the past because these are understandably stringent requirements. We saw three years of a decline in compliance culminating in a low of only 28 percent of organizations maintaining full compliance in 2019, according to the Verizon report. However, by 2020 this had been turned around, increasing to 43 percent due to better security management and governance and more widespread use of compensating controls.
Now that those compensating controls will be replaced by the customized approach and greater flexibility and more autonomy, with the outcome rather than the means of achieving it deemed the most important, we can expect full compliance rates to increase still further.
Image credit: Audioundwerbung/Dreamstime.com