On the 31 March 2022, the Payment Card Industry Security Standards Council officially announced the publication of v4.0 of the PCI DSS. In this article, we look at the declared goals of v4.0 and the key changes from the current version of the standard.
Three points to make upfront. Firstly, the PCI SSC has made this a big document. At 356 pages there are an additional 217 pages of guidance including the PCI SSC glossary, which makes the document much easier to use. Secondly, it has taken time for the document to be globally released, since first being announced in late 2017. Yes, Covid has been a factor, but so has the SSC’s objective to make this document inclusive. By reaching out to the secure payments community not once, but three times, receiving over six thousand items of feedback from 200 plus organisations the document adds flexibility whilst focusing entities on what is required to keep card data secure. Finally, the current version of the DSS, v3.2.1 will not be retired until March 31 2024, so there is a long transition period.
Goal 1 – Ensure the standard continues to meet the security needs of the payment industry
Released at the same time as v4.0 is a Summary of Changes document. This lists 64 new requirements, 11 of which just apply to third-party service providers. Whilst the secure payments community will always be playing catch up, the DSS certainly makes the effort to align to the current threat landscape, even though 51 of the new Requirements are not ‘effective’ until 31 March 2025.
Goal 2 – Add flexibility and support for additional methodologies to achieve security
As well as continuing with the ‘Defined’ approach with ‘Compensating Controls’, v4.0 introduces the ‘Customised’ approach. This is a new method to implement and validate PCI DSS requirements where entities demonstrate that they meet the intent of the DSS and can ‘adopt’ their own testing procedures, signed off by their (Qualified Security Assessor) QSA and acquirer.
Goal 3 – Promote security as a continuous process
In v4.0 this has been made a priority to dispel the notion that PCI DSS compliance is a once-a-year tick box exercise, much like an MOT. Whilst ‘roles & responsibilities’ has only two mentions in the current version, each of the 12 core requirements now have headline text that states “Roles and responsibilities for performing activities in requirement x are documented, assigned and understood.”
Goal 4 – Enhance validation methods and procedures
Whilst much of this goal is achieved by the introduction of the ‘Customised’ approach, we can see through the new supporting documentation for external auditors (QSA’s) increased alignment between information reported in a Report on Compliance and information summarised in an Attestation of Compliance. We expect to see more when the new Self Assessments are released in Q2.
So, in summary, a really helpful document that we have time to consider. Certainly the ‘Customised’ approach should prompt ongoing conversations, especially around the additional time, costs and effort involved for all stakeholders in agreeing to testing procedures, especially when it comes to sign off and liability in the event of a future data compromise. Food for thought!