The next version of the Payment Card Industry Data Security Standards (PCI DSS) is coming, but not for a while. At the PCI North America Community Meeting in September of 2018, the PCI Security Standards Council shared some insights about the next version of this closely-watched security standard. What follows is LBMC Information Security’s summary and perspective on the council’s insights.
Evolving Factors Influencing Cybersecurity
The PCI Security Standards Council identified several evolving factors that are influencing the cybersecurity industry, and, as such, are likely to be reflected in PCI DSS version 4.0. Greater accessibility of payment data through many different channels is posing new challenges to the cybersecurity industry, and the next version of the DSS is likely to include enhanced control requirements designed to address this fact. Secondly, new form factors through which payments are made are becoming mainstream, such as the ability to make payments via mobile devices and smartwatches (using technology like Apple Pay), and these payment devices must also be properly secured and validated. Thirdly, increased reliance on third parties to play a key role in an organization’s payment card processes merits additional control considerations.
Three Primary Goals for PCI DSS Version 4.0
During the conference, the PCI Security Standards Council identified these three primary goals for the next version of the PCI DSS:
1. To design security requirements for objective/outcome-based assessment
The PCI Security Standards Council acknowledged that, since the issuance of PCI DSS v1.1 12 years ago, many organizations have worked to establish robust and mature cybersecurity programs, and, as such, those organizations no longer benefit from being validated against a rote list of basic controls. Having met the minimum bar, these organizations are now exploring and implementing advanced capabilities that enhance their cybersecurity posture using innovations and dynamic technologies that are a step above the “old way of doing things.” As a result, the council wants to provide these organizations with a way to demonstrate their security posture and PCI compliance while getting credit for their advanced capabilities, which represents a move in the direction of objective-based PCI DSS assessments.
Emma Sutcliffe, Senior Director of Data Security Standards, stated that PCI DSS v4.0 will focus more on what the end result should be rather than specific controls that are required to achieve the security objectives. If it comes to fruition, this evolution will likely be cheered by the industry, as it demonstrates that the council is recognizing that a “one size fits all” approach to security isn’t appropriate or effective.
2. To establish a culture for ongoing security practices
Longtime followers of the PCI DSS will remember that v3.0 introduced language in the introduction of the PCI DSS encouraging organizations to integrate cybersecurity practices into their operations, moving toward ensuring that cybersecurity controls and practices became “business as usual” for the organization rather than special steps that were specifically taken to ensure the protection of data. While the “business as usual” language was recommended guidance, it was not a part of the actual requirements. At the time, LBMC Information Security predicted that future versions of the PCI DSS would likely evolve to include the “business as usual” requirements in the standard itself, and it appears this may indeed come to fruition in version 4.0.
3. To enhance the validation methodology
During the initial open comment period for feedback on the existing version of the PCI DSS, the council reported that it received questions and feedback on several topics within the PCI DSS requirements that will likely be enhanced in version 4.0. The largest volume of feedback was related to the authentication specifications in requirement 8. Many respondents want the council to revisit the password complexity requirement to ensure it aligns with the newest industry publications (such as NIST SP 800-63) related to password security, and to consider the implications of other authentication technologies (such as biometrics) on the existing PCI DSS requirements. Requirement 11 also received a high volume of comments and feedback. The respondents encouraged the council to expand the penetration testing requirement to include social engineering assessments and to provide additional guidance and clarification related to segmentation testing. The requirement that received the third most amount of comments was requirement 3. Most of those comments related to disk-level encryption requirements and requesting clarification on what constitutes secure deletion of data.
The most anticipated announcement during the Community Meeting was the date of the release of the next version of the PCI DSS. The council revealed that PCI DSS v4.0 is expected to be released sometime in 2020 and that at least one more request for comment period will be available during 2019 to solicit additional feedback from merchants and the assessor community prior to the issuance of version 4.0. If the council follows its existing precedent, version 4.0 will be released with a “grandfather” period that will allow organizations to continue assessing against the existing version of the PCI DSS for a period of time before migrating to 4.0. This break-in period provides organizations with an opportunity to sufficiently plan for the implications of the new version and their impact on its existing processes.
As one of the longest tenured and largest PCI assessors in the United States, LBMC Information Security stays on top of the requirements within the industry. If your organization is considering a PCI assessment, contact us to learn how we can help.