It has been almost a year since we started to hear the news that the PCI council is about to release the PCI DSS standard–version 4.0. As a cybersecurity company, we have several clients who are curious about the upcoming release of PCI DSS v4.
Questions generally being asked by them are:
To address these key concerns, Manish Chaudhari, the PCI QSA at Cybernetic Global Intelligence CISO, shares his insights on PCI DSS v4. Before proceeding to that, we would like to make you aware of a few facts.
- The first Request for Comments (RFC), which solicited feedback on PCI DSS v3.2, took place at the end of 2017.
- Two additional RFCs are planned for inputs before the release of the final version. One of these RFCs period is completed in Nov 2019.
- Based on the feedback received, there may be changes in the final release. The final release may be totally different from the draft version.
- All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) were invited to participate. Being a QSA company, we are under a non-disclosure agreement (NDA) and cannot share information outside our organization from the initial draft.
Below is an extract from the November 2019 Assessor Newsletter.
|“Can I share information about PCI DSS v4.0 outside of my company?”
We have received several inquiries about whether POs, QSAs, and ASVs are permitted to share information externally about PCI DSS v4.0, and if so, what information can be shared with other organizations. We encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS; however, access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. It is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.
The content of the RFC documents is strictly under NDA and cannot be shared, used, or quoted.
Hence kindly note:
Information provided in this blog is Cybernetic Global Intelligence’s (CGI’s) opinion. This is based on the initial draft of PCI DSS v4. The final release may contain additional information than the initial draft.
Changes in PCI DSS v4.0
According to the Council’s Global Head of Standards, Emma Sutcliffe, the 12 core requirements of the PCI DSS will remain fundamentally the same. However, several new requirements are being proposed and reviewed. These new requirements are intended to address evolving security threats to payment data, while at the same time allowing flexibility for how organizations choose to fight them.
Rather than focusing on how organizations meet standards, v4 will focus on the intended security outcome. Says Sutcliffe, “For many requirements, this is achieved by simply changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’.”
It means organizations can customize the approach to demonstrate their compliance with each PCI DSS requirement’s security intent. The main goal is to mitigate the risk. Organizations have to decide which is the best approach. Organizations no longer need to meet PCI standards word for word, so long as they can demonstrate the intent to meet standards with a thorough, defense-in-depth approach.
Key high-level goals for PCI DSS v4.0 are:
- Ensure the standard continues to meet the security needs of the payments industry.
- Add flexibility and support of additional methodologies to achieve security.
- Promote security as a continuous process.
- Enhance validation methods and procedures.
The PCI SSC has highlighted the specific areas below for the industry:
- Authentication specifically focused on NIST MFA/password guidance (NIST SP 800-63): New PCI DSS 4.0 iteration may focus on in greater detail in the use of a 3DS Core Security Standard during transaction authorization. The council may also expand the multi-factor requirement from the administrators to users having access to cardholder data. In requirement 8, for password policy, the council had recommended referring NIST 800-63. The council may shed more light on this requirement. Council may change the requirement to reset the password every 90 days.
- Broader applicability for encrypting cardholder data on trusted networks: As per PCI-DSS v3.2.1, cardholder data should be encrypted over the public network. Now organizations will have to encrypt the cardholder data on trusted networks, i.e., corporate network.
- Monitoring requirements to consider technology advancement.
- The greater testing frequency for critical controls; for example, incorporating some requirements from the DESV (Designated Entities Supplemental Validation) – PCI DSS Appendix A3 – into regular PCI DSS requirements: The DESV requirements were usually reserved for companies that have experienced a breach. Many of the Designated Entities Supplemental Validation (DESV) requirements have been included in previous PCI DSS requirements. So, the critical control testing frequency and the addition of controls may make their way into this PCI DSS version.
PCI council has removed compensating controls from the draft version as requirements are based on the outcome. Also, Appendix A1 will be updated to address the role and expectations for cloud service providers.
When will PCI DSS 4.0 Come into Effect?
PCI-DSS v4 is expected to be released by the end of 2020. However, the COVID-19 global pandemic crisis may delay it further.
Need more clarifications?
Speak to our PCI DSS experts today! Speak to our PCI-DSS expert today.