Excited about PCI DSS 4.0?
We Are—Here’s Why
After what feels like a long time coming (in fact, PKWARE first blogged about this in January 2020), PCI DSS 4.0 is now currently slated for release in Q1 of 2022. The final drafts have been completed and the PCI SSC (PCI Standards Security Council) is currently working on supporting documents. While 4.0 is expected to go live in early 2022, the current PCI 3.2.1 will not be retired until Q1 of 2024. (Figure 1) This gives companies plenty of time to finish off any existing ROCs while also providing additional time to become compliant with the new 4.0 standards.
Figure 1: PCI DSS Transition Timeline. Source: https://blog.pcisecuritystandards.org/updated-pci-dss-v4.0-timeline
What We Know Is Coming
When PCI-DSS 4.0 is officially released, it’s expected to differ from the current PCI DSS version 3.2.1 in a few key ways. One of the biggest changes is that PCI DSS is giving more leeway in regard to “how” an organization can become compliance.
PCI-DSS 3.2.1 and its predecessors included not only a series of objectives (i.e., protect cardholder data), but very specific requirements that dictate exactly how companies must achieve those goals. In other words, the standard is extremely prescriptive. Should a business be unable to follow these prescriptive steps to compliance they must implement a compensating control; this can often be an extremely time-consuming and costly procedure that requires an organization to go well above and beyond the intent of the primary control itself.
PCI-DSS 4.0 does keep the existing prescriptive method for compliance, should an organization want to continue cookie-cutter security. However, 4.0 is replacing compensating controls with an alternate option: customized implementation.
Customized implementation takes into consideration the original intent of the objective and allows organizations to design their own security controls to meet it. Once an organization determines the security control for a system, network, other object, it must provide full documentation to enable their PCI Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control. Should the QSA not accept the control or the documentation, the organizations may then be asked to enhance it, alter it, or potentially go back to the prescriptive control requirement.
Another area that’s expected to change will be around the use of cloud and serverless computing. The core controls of the current version 3.2.1 were not designed for modern IT environments that often leverage multi-cloud, on-premises, and vendor networks. Version 4.0 will introduce an updated set of requirements and approaches to securing cloud and serverless workloads.
Organizations can also expect new control requirements, such as an expansion of card holder data encryption over any transmission, including within trusted networks. There is also likely to be a control requirement update regarding multifactor authentication and logins. With the tremendous advancement in this area technology-wise, the PCI SSC will possibly want to see those in use.
Why These Changes Are Important (and Exciting!)
The twelve foundational requirements and list of controls included in PCI DSS 3.2.1 will still be a part of 4.0. But the addition of the customized implementation option introduces new flexibility for companies to use a broader range of methods and technologies to achieve each PCI objective. And, ultimately, organizations might find a more cost-effective or simpler way to comply. Another potential perk of the ability to now build in “unique” controls is added confidence against the effectiveness of attacks designed to outmaneuver the more prescriptive approach published publicly by the PCI SSC.
In addition to this, organizations that take their data security seriously will be more open to creating various unique ways and methods to product their Card Data Environments (CDEs). Organizations can start incorporating solutions such as PK Discovery to help keep an eye on and control the scope of their CDE so they are always aware of where payment cards are.
Going beyond that, companies could also choose to begin leveraging element-level encryption with technology like PK Protect. PKWARE’s proprietary data security solution not only works in databases, but throughout the data’s lifecycle: Whether that data is in an Excel spreadsheet, an email, or a Word file, it will always be protected.
These types of controls, while not technically prescriptive to the DSS can only help an organization’s PCI QSA during their assessment. As any PCI professional knows, it’s important to build trust and credibility with your QSA. Having reports and technology that make the QSA’s job easier and faster will not only save your organization time and money, it will also give the QSA assurance that your teams are doing everything they can to keep security front of mind.
Get Creative with PCI DSS 4.0 and PKWARE
New controls and regulations often seem daunting. However, this time around, I think we can all take some relief in that while there will be more controls, there will also be more freedom on how we achieves those controls. So get creative! I am already looking forward to seeing the first few ROCs published under the new PCI DSS version 4.0.