The next version of the PCI-DSS is a long time coming. The majority of current PCI controls in version 3.2.1 are 10-years or older. Year-to-year the standard itself has changed very little and version 3.0, released in 2015, has minimally changed in the last 5 years.
The PCI-DSS v4.0 was released to PCI SSC stakeholders for Request for Comments back in October 2019. While the standard may change before the next RFC period, rumored to happen in the second quarter of 2020, there is some publicly available information around the standard and what the impact will be to applicable organizations.
First and foremost PCI DSS v4.0, the updated version of the standard, is designed to move the security goalpost forward.
Not only are many of the requirements being updated, reworded and rewritten, there’s a renewed focus strengthening security and adding flexibility. There are both new and revised requirements. Organizations must review the Summary of Changes and updated standard as soon as it is publicly available. New controls may require additional capital or operational expenditures of their security budgets to implement the new requirements. CTOs and CISOs will need to forecast their budgets, adding overhead to cover these additional expenditures, and begin preparations in 2020. If we look at the history of the Data Security Standard each release has had additional future-dated requirements and there’s every expectation that this trend will continue with v4.0.
Another key feature of PCI DSS version 4.0.
Each of the 12 requirements will now focus on meeting security objectives, shown in bullet point statements that identify the technical, administrative, or organizational intent for each requirement. These security objectives lead into what is, inarguably, the biggest change of version 4: customized implementations of PCI requirements.
This breaks down into organizations that will have the opportunity to meet each PCI requirement as written, the same way they are meeting those controls now, or the control can be implemented in a Customized Implementation. A Customized Implementation is a control objective met by meeting the intent of the requirement, but not performing the control as written. This is very similar to how many organizations are performing compensating controls for their PCI compliance today. The major difference in PCI-DSS v4.0 is that a Customized Implementation does not require a business or technical justification. An organization can meet the intent of any control, for any reason, and implement a Customized Implementation as desired.
The PCI Security Standards Council considers the Customized Implementation to be an evolution to compensating controls. Organizations can quickly adapt their controls to meet any requirement and have more flexibility in choosing solutions to meet the intent of each requirement. Organizations will need to thoroughly document and test their Customized Implementations and include them in their risk assessments during the compliance validation assessment. Third party assessors will need to both review documentation and test the control to ensure it meets the intent of the requirement.
As we approach the release of PCI-DSS 4.0 organizations must begin to address the organizational challenges.
These challenges include not only the budgetary requirements eluded to above for implementation and documentation of controls but also focus on the human element; staffing and training. Management will need to ensure that their employees have the proper training and skillset to address the additional challenges with not only the new controls, but the use of Customized Implementations and the additional risk-based security testing required to ensure they operate effectively.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.