The upcoming changes to the Payment Card Industry Data Security Standard (PCI DSS) will affect every organization that stores, transmits, or processes cardholder data and/or sensitive authentication data.
Effective starting in March 2024, the new standard, known as PCI DSS 4.0, spans dozens of changes in areas including risk assessment, how keys and certificates are managed, and what can be accessed remotely.
The update will also impact identity and access management (IAM) and the technologies used for email filtering, anti-malware, multi-factor authentication (MFA), security information and event management (SIEM), as well as application development.
The requirements affect vast swaths of IT infrastructure–from network devices, virtual machines, authentication servers and cloud infrastructure to payment terminals, payment back-office systems, shopping carts, physical security systems, internal network security controls, and beyond.
Darren Carroll, managing principal of security services at solutions integrator Insight Enterprises, explains the PCI Security Standards Council (SSC) periodically updates guidance under the DSS to drive continuous improvement and maturity into organizations’ cybersecurity program.
He calls the upcoming DSS v4.0 a “demonstrable step forward” in driving both technical and administrative controls related to securing data related to accepting and processing credit card transactions.
“The new standard is the most transformative released to date, with the changes being driven by a need to stay current with technologies and to provide a much greater level of flexibility to meet requirements than in previous versions,” he explains.
He notes there are two primary workstreams to prepare for DSS v4.0 compliance, with one potential interim workstream. Step one is to complete all activities related to the existing DSS v3.2.1 compliance.
“With the v3.2.1 effort completed, that will serve as a foundational baseline to prepare for the upcoming changes,” Carroll says.
The second step is to perform a “gap assessment” to quantify missing or incomplete aspects related to the new or expanded requirements.
He says the potential mid-process workstream may involve remediation and/or closing of possible gaps.
“The most critical aspect is to identify the delta in the controls implementation as soon as possible due to the extent and impact of the new requirements that many companies will likely face,” he says. “Doing so will provide the maximum amount of time, and budget cycles, to address the changes.”
Carroll adds the impact of PCI DSS v4.0 will be felt enterprise-wide, which means executives in finance, IT, and application development, among other departments, will have activities related to becoming PCI DSS v4.0 compliant.
Compliance Requires Deep Integration Enterprise-Wide
There are several impactful changes to the requirements associated with DSS v4.0 compliance, ranging from policy development (all changes will require some level of policy changes), to Public Key Infrastructure (PKI), as there will be multiple changes related to how keys and certificates are managed.
Carroll points out there will also be remote access issues, including defined changes to how systems may be accessed remotely, and risk assessments — now required to multiple and regular “targeted risk assessments” to capture risk in a format specified by the PCI DSS.
Dan Stocker, director at Coalfire, a provider of cybersecurity advisory services, points out fintech is growing rapidly, with innovative uses for credit card data. “Entities should realistically evaluate their obligations under PCI,” he says. “Use of descoping techniques, such as tokenization, can reduce total cost of compliance, but also limit product development choices.”
He explains modern enterprises have multiple compliance obligations across diverse topics, such as financial reporting, privacy, and in the case of service providers, many more (on behalf of their customers).
Benefits of a Common Control Framework
From Stocker’s perspective, PCI should be integrated into a common control framework, so that the organization can efficiently manage compliance.
In addition, DSS v4.0 now defines requirements for specific technologies related to (for example) email filtering, anti-malware, multi-factor authentication, SIEM, and more Software Development Lifecycle (SDLC).
For entities with bespoke applications, requirements will include documenting components used in the specific applications, reviewing them, and verifying security controls are properly implemented.
Finally, the new standard impacts identity and authentication, including enhanced requirements for reviewing access and managing service and application accounts, in addition to changes to password requirements.
“This is a fundamental and impactful changes to DSS compliance,” Carroll says. “Assumedly, most organization will have most if not all of the new requirements already in place, but the codification and reporting related to PCI will be a significant change for most companies.”
Stocker says compliance leaders can start the ball rolling, but experience has shown that compliance is most effective (and least expensive) when baked into existing governance and product development.
“Central management is fine but pushing compliance knowledge out to key teams can have multiple benefits,” he says. “The extensive impact of DSS 4.0 means that even mature compliance functions will need some uplift.”
He adds that while 18 months seems like forever in the tech world, no organization is standing still.
“Proactive organizations will want to triage impact and integrate the new requirements into their existing product and upgrade planning,” Stocker says.