The TRUE PCI Services team attended the annual 2019 PCI Community Meeting (PCICM) in beautiful Vancouver at the West Vancouver Conference Centre. Overlooking the bay of West Vancouver and crowned by fog misted mountains, this area of Vancouver has everything anyone could ask for from a locale– an amazing, diverse selection of local eats, food trucks, and five star restaurants, a plethora of High street and Main Street shopping districts, and cultural sites to see. Vancouver was also rated as Canada’s most walkable city in 2017, the truth of which we can now officially confirm, despite the rain.
In addition to the very distracting view, phenomenal food, and crisp autumn sweater weather, the PCICM did not disappoint with tracks in building industry diversity, fraud threat prevention, and PCI assessments in the cloud. The highlight of the conference, however, actually took place on the first day. During opening talks, the PCI council announced that in late 2020 or early 2021, PCI DSS 4.0 will be released into the wild. The new version will replace the well-known PCI DSS 3.2.1 and send the cybersecurity world into a panicked frenzy. Our goal in preparing you now is to help you avoid giving your security teams a round of ulcers and heart palpitations then. To that end, I’ll be covering the proposed high-level goals of the new version.
Assessment and Validation Flexibility
PCI DSS 4.0 will be a full revision of the previous 3.2.1 document, and thus will come laden with changes that affect everyone required to adhere to the PCI Compliance standards. While the changes from 3.2 to 3.2.1 focused more on amending control requirements for Service Providers, the 4.0 release will apply to all merchants and service providers regardless of your current scope and transaction level. PCI DSS version 4.0 will attempt to ensure that the security needs of the modern payment industry are met while incorporating flexibility, recognizing that security and compliance goals may be achieved through multiple methods, and change the standard from a point-in-time audit to an evaluation of ongoing technical and procedural controls. The goal of these changes is to move the payment industry towards a culture of holistic security practices and evolving strategies. PCI DSS 4.0 version will provide a two-pronged assessment approach. It seems that the PCI Council has heard the community gripes about the inherent, complex nature of compensating controls and their documentation/evaluation process, which were terribly cumbersome for all–businesses, ISAs, and QSAs. 4.0 will also provide a two-pronged approach for validating compliance, the Direct Approach and a Custom Approach–both of which come with their own angels and demons. The Direct Approach is the same one we already use to evaluate compliance today under the PCI DSS 3.2.1 versions. Simple enough. The Custom Approach will focus on the intent of each of the twelve PCI requirements and provide increased flexibility for organizations to demonstrate how the security controls in place meet the security objectives of PCI, rather than adhering to strict governance criteria. While either option will be available to merchants and service providers for attaining PCI compliance, as well as for assessing and validating compliance by QSAs, the Custom Approach is not meant to validate subpar security controls and tools amalgamated into a semi-operational security golem. Meaning, organizations will not be able to just provide fancy verbiage to justify a poor approach to security. Quite the opposite, the Custom Approach is best suited for entities with a robust and mature risk management and security program managed by expert security professionals. And QSAs are granted moderate subjectivity when assessing controls under the Custom Approach as well, which could mean more or less scrutiny, depending on the scope and presence of cardholder data.
Continuous Security
PCI DSS 4.0 is also being overhauled to provide more focus on security as a continuous, holistically evolving program. Version 3.2.1 allowed entities to provide proof of “point-in-time” security every year, whereas the new update will likely require evidence of continuous improvements and future objectives. The proposed alterations will include more expectations on security awareness training and risk assessment criteria. Additionally, the next version of the PCI DSS will reflect the industry’s shift away from in-house security management by enhancing the security control requirements for the managing of and partnering with third-party vendors. With so many supply chain attacks in recent years, this should be a welcome development for advocates of protecting customer data.
PCI DSS 4.0 will also address the challenge of an increasing number of different payment channels for accessing and processing payment card data to include those made via mobile devices, smartwatches, and even home-based IoT devices such as Amazon Alexa. It behooves any organization that falls within the purview of PCI compliance to review the supplemental documentation provided by the council on IoT devices, cloud computing, and any relevant documentation released within 2018 and 2019. These documents are good indicators of what we can expect to be released as the official PCI DSS 4.0, as they were put out to provide additional information for organizations with scopes that include these technologies.
Structure and Guidance
Probably the least of the three, but still paramount to the new direction the PCI compliance is that the overall structure of the document will change. The recently released PCI Software Security Standard is the best indicator of what we can anticipate in the newest version of the DSS. The twelve key requirements will be the same, but they will be reorganized into overarching “Security Objectives”, similar to the Software security standard. Also, the requirement descriptions will be re-written into outcome-based statements to allow for the promised flexibility in designing, assessing, and validating security controls. The old guidance will be replaced with clear identifications of intent for each security requirement, accompanied by expanded guidance that will provide entities with a tangible goal for which to strive, rather than simply explaining key reasons and risks around the requirement. In this, brace yourself, because the 4.0 version will look quite different from what you are accustomed to in requirement numbering, as well as the outlined expectations for compliance. This will require entities with an existing PCI compliance program to update not only their documentation but to also perform a gap assessment to determine their current position and strategize the next steps.
Concluding Thoughts
The PCI Council will be kicking off the first of two RFC (Request for Commentary) periods this month, so there is no need to panic just yet. However, maintaining current compliance and staying abreast of the coming changes will help you prepare your teams. To allow for the impending learning curves and internal work that will need to be done, there is a planned interim after the official release for organizations to make any necessary remediations, but unlike the 2018 TLS 1.2 update, no organization can afford to take this on last minute. PCI DSS 4.0 is a total overhaul of the standard, and it is vital that organizations provide feedback during the RFC and pay attention to pre-released standards. The 4.0 standard will likely be available for review and commentary this month and merchants, ISA’s and QSA’s are eligible to participate in the PCI Council’s request for commentary process. The RFC period for PCI DSS 4.0 is scheduled to end in November 2019, with a second RFC period scheduled for Spring 2020. The PCI council hopes to release a final version of the PCI DSS 4.0 toward the end of 2020. TRUE QSAs will be participating in the RFC this month and the upcoming one next year. This will give us an idea of educating clients of all sizes of the status of version 4.0 so that plans and redemptory steps can be adjusted accordingly. As we engage, we will keep you informed of our participation and insight gained from the first RFC, as well as a more in-depth summary of the highlighted changes to anticipate. In the end, that’s why we attend Community Meetings–to help our customers and communities prepare for what’s ahead (but the views and crisp weather certainly didn’t hurt our feelings!).
Learn more about our suite of PCI solutions here.