PCI-DSS version 4.0, the latest version of the Payment Card Industry Data Security Standard (PCI DSS), is expected to be released in 2021. Like all versions of PCI DSS, 4.0 will be a comprehensive set of guidelines aimed at securing systems involved in the processing, storage, and transmission of credit card data.  But this version, projected to take effect in Q1 2024, will introduce more stringent IT security requirements, while at the same time permitting more flexibility to comply with them.

Key Changes of PCI Version 4.0

So, what are the key changes to expect? Here is an overview:

1. Flexibility - Customized Implementation to Meet the Intent of Security Controls

This is probably the biggest change with the release of PCI DSS 4.0 next year. The 12 requirements will be shifted to focus on four main security objectives:

• Ensure the standard continues to meet the security needs of the payments industry.
• Add flexibility and support of additional methodologies to achieve security.
• Promote security as a continuous process.
• Enhance validation methods and procedures.

With PCI DSS 4.0, organizations will be able to choose to perform the control as prescribed or opt for customized implementation. Using the Customized Approach as a compliance validation mode will present new benefits and considerations.  Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.

Once organizations determine the security control for a given objective, they must provide full documentation to enable their Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control.  This introduces new flexibility for companies to use a broader range of methods and technologies to achieve each PCI objective. Ultimately, organizations might find a cheaper or simpler way to comply.

This new approach will take the place of compensating controls in the 4.0 standard. The PCI Council stated that “Unlike compensating controls, customized validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based.”

2. Security - More Stringent Requirements

The ultimate goal of PCI DSS continues to be ensuring that all retailers safely and securely store, process, and transmit cardholder data. PCI DSS 4.0 will set the bar higher and build on the assurance of PCI DSS v3.2.1. In addition to restructuring many of the requirements, the Summary of Changes will likely include stronger security standards. Top management, including CISOs and CTOs, should prepare to adjust budgets in order to allocate capital and operational funds to implement the new requirements.

One area of expected change will be around the use of cloud and serverless computing. Version 4.0 will introduce an updated set of requirements and approaches to securing cloud and serverless workloads.

Companies can also expect new control requirements, such as an expansion of the encryption of cardholder data over any transmission, including within trusted networks. There is also likely to be a control requirement update around passwords/login access (i.e., an increase in the use of multi-factor authentication).

3. Authentication - Deeper Focus on Multi-Factor Authentication (MFA) / Password Guidance

MFA/Password Guidance moves to the forefront in this new version. The PCI Security Standards Council (PCI SSC) places more focus on applying stronger authentication standards to payment and control process access log-ins. PCI SCC has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization.

This new standard opens the door for organizations to build their own unique pluggable authentication standards to meet data security regulatory requirements. At the same time, they can be scaled to fit the company’s transaction objectives.

4. Encryption - Broader Applicability on Trusted Networks

Since 2015, SSL/early TLS encryption protocols were deemed as no longer secure. At that time, the Payment Card Industry Data Security Standard (PCI DSS) offered important guidance about the vulnerabilities within the Secure Sockets Layer (SSL) protocol, as well as problems with early versions of the Transport Layer Security (TLS) protocol.  The PCI Security Standards Council ordered the removal of SSL and early TLS versions from cardholder data environments by June 2018. This required companies to disable SSL/early TLS encryption tools to adopt and implement a more secure encryption protocol. At that point, the PCI SSC strongly suggested the implementation of TLS v1.2 for peak protection.

The push for even more secure standards has increased. Cyberthreats that include malicious code are one of the biggest problems faced by businesses today.  Once the code is embedded in the network, information can be retrieved through cardholder data being transmitted. The new version of PCI DSS 4.0 specifically addresses this issue, with best practices and insight on how to fully protect network transmissions.

Monitoring - Technology Advancement Requirements

There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology is growing rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. The adoption of these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.

Critical Control Testing Frequency - Possible Inclusion of DESV Requirements

This is a higher level of critical control testing, which includes a significant increase in the amount of testing required. Though Designated Entities Supplemental Validation (DESV) requirements are nothing new, they were previously mandatory only for companies that had been compromised. In this new version, these requirements may be a mandated requirement for all companies to achieve compliance.

Our Take on PCI 4.0

As with any security standard, there will always be evolving requirements and process improvements. Embrace the changes and be grateful someone is watching the threat environment and updating standards.

Add PCI 4.0 to your 2021 roadmap. Start by ensuring compliance with PCI 3.2.1 requirements.   In preparation for PCI DSS 4.0, we recommend that organizations plan for budgetary changes to adapt to the new requirements and additional risk-based security testing. Implementing more significant changes are likely to demand staffing and training efforts as well.

This transition might require the help of a PCI Qualified Security Assessor (QSA).  ERM Protect can help ensure PCI compliance.  As one of the original PCI QSA firms, we are experts at payment card compliance, IT security, and data protection.  We leverage almost 30 years of experience to secure your payment data, protect your business and manage costs and risk.