PCI DSS: Looking ahead to v4.0

By Andrew Wortley, Head of Audit & Certification, Blackfoot

Background

As we know the PCI SSC has started work on PCI DSS version 4.0.

From September to November 2017 the PCI SSC offered stakeholders the opportunity to provide comments and feedback. In addition to the usual request for feedback on the different areas of the standard, the Council asked specific questions aimed at understanding how it could better support organisations secure payment card data and increase the adoption of PCI DSS.

The Council has stated that it will also conduct an additional RFC before the publication of PCI DSS v4.0.

What do we know so far?

In March 2019 Laura Gray (Senior Director of Comms at the PCI SSC) released a blog on the PCI SSC website talking about plans for v4.0.

Laura clarified that there are 4 core goals for PCI DSS v4.0 namely;

  • Ensure the standard continues to meet the security needs of the payments industry
  • Add flexibility and support additional methodologies to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures

Laura also confirmed that industry feedback will shape PCI DSS v4.0 and stakeholders were asked to review specific areas such as;

  • Authentication, with specific consideration for the NIST MFA/password guidance
  • Broader applicability for encrypting cardholder data on trusted networks
  • Monitoring requirements to consider technology advancement
  • Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements.

The 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data.  However, based on feedback received, the PCI SSC is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape.

The PCI SSC is also looking at ways to introduce greater flexibility to support organisations using a broad range of controls and methods to meet security objectives.

So, what does all of this mean in reality?

Having looked into my crystal ball I predict the following;

The focus of v4.0 will be where the card fraud is increasing, we all know that F2F card fraud is now minimal and that CNP remains the ever-increasing fraud exposure, especially in terms of mobile commerce.

Timescales are always a major consideration for any new release of the PCI DSS;

  • The next RFC will be issued by the PCI SSC in October 2019 and v4.0 will be available by the end of 2020.
  • The current version 3.2.1 of the PCI DSS will run concurrently with v4.0 in 2021 and that v4.0 will be mandatory from 1st January 2022.

In terms of v4.0 itself, it will represent a significant change and will be a major rewrite of the standard. The look and feel of the standard could also change in terms of how it is written and audited against. Some may say this is a bad prediction and that only incremental changes will be applied as previously, but I am happy to stand by my views.

Why?

Because the PCI DSS is currently not a good fit for high tech organisations, and I am sure this is something the PCI SSC will be keen to address.

So, how can we ensure that whilst addressing the needs of all, it does not become too technically demanding for merchants?

From an assessor perspective, I see this as being an interesting challenge. We will need a broader range of skills and expertise, and perhaps for some assessments, one size will not fit all. 

Applicability of PCI DSS v4.0 to merchant, service providers, QSA’s

PCI DSS v3.2.1 states “PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers.”

How the PCI DSS is enforced by the Card Brands, is of course entirely different and I will be writing a separate blog on this topic.

At present, the PCI DSS applies equally to all levels of merchants a..ng on how they take card payments.

As my daughter pointed out to me recently there are seven colours of a rainbow so perhaps PCI v4.0 could apply slightly differently to how it is currently enforced by the Card Brands;

L4 Merchants – adhere to the PCI Data Security Essentials (DSE) only

L3, L2, L1 Merchants and Service Providers – adhere to PCI DSS v4.0

Large high tech companies – a more technical and tailored approach focussed on risk mitigation – a v4.0 on steroids if you like.

In terms of QSA’s, I believe that PCI DSS v4.0 will raise the bar requiring QSA’s to possess more technical skills.

For high tech companies, QSA’s will be required with particular technical expertise, per.. that for QSA’s to undertake these types of audits they must also hold the PCI PIN qualification. Just a thought.

Whilst on the face of it the QSA Program is separate to the evolution of the PCI Standard itself, the two are however co-dependent on each other as QSA’s must be suitably skilled to cope with changes to the PCI DSS.

In the last few years, we have got used to the PCI DSS evolving at a steady pace to the current mature standard of v3.2.1 with a few tweaks here and there.

However, I feel a radical change is now due and I remain hopeful that v4.0 of the PCI DSS could be just the ticket to build on previous iterations of the standard.

From September to November 2017 the PCI SSC offered stakeholders the opportunity to provide comments and feedback. In addition to the usual request for feedback on the different areas of the standard, the Council asked specific questions aimed at understanding how it could better support organisations secure payment card data and increase the adoption of PCI DSS.