PCI-DSS v4.0 – What you need to know

Antony Tuttle, Senior Consultant and QSA at Xcina Consulting, offers his insights on the latest PCI-DSS Standard developments.

The second half of every year sees the Payment Card Industry Data Security Standard’s (PCI-DSS) Security Standards Council (SSC) run its annual Community meetings, with events in North America, Europe and Asia-Pacific. This is also the time of year when the SSC releases information about any changes to the PCI-DSS Standard and sets the direction and focus for the following year. 

If you’re involved in the payment security space and haven’t been to a local meeting, I would strongly recommend you consider it“ it’s a great opportunity to connect with representatives from the card brands, banks, vendors and Qualified Security Assessor Companies (QSAC) like Xcina Consulting.

At last year’s European Community Meeting, it was announced there was likely to be significant change to the PCI-DSS (which would take the Standard up to version 4.0), and there was a lot of anticipation about exactly where those changes might be made. Now that the 2019 Community Meetings have kicked off (the North American Meeting took place in Vancouver on 17-19 September, and the European Meeting is scheduled for 22-24 October in Dublin) we have a little more information on the direction the SSC is taking, and when first drafts might be released.

The following are some of the more significant teasers coming out of the North America Community Meeting:

• The requirement to encrypt Cardholder Data (CHD) has been extended to now include trusted networks (e.g. you were previously permitted to transmit unencrypted cardholder information within your corporate network).
• Exact wording has yet to be seen but there is the possibility that Requirement 8 could be tweaked to align more to the NIST 800-63b updates.  This may see the end of requiring password resets every 90 days, albeit after introducing some additional security controls.
• Point to Point Encryption (P2PE) version 3.0 will be released in Q4 of 2019, which makes the Standard more modular, with subcomponents that companies can become certified in.
• The successor to the Payment Application Data Security Standard (PA-DSS), the Software Security Framework (SFF), now includes a Secure Software Lifecycle component that enables organisations to have their software development lifecycle certified.  This means that the development process does not have to be reassessed with each minor change and can instead have a full assessment every 3 years.
• Arguably the most significant news will be the potential movement to a more objective-based Standard.  In practice, this will see two versions of the Standard becoming available: the defined approach, where the Standard exists much as it does today; and the option for the organisation to adopt a customised approach.  The new customised approach might allow organisations to design their own controls and then implement them to meet the intent of the PCI-DSS requirements. 
• We will need to see exactly how these approaches work in practice as introducing too much flexibility might also introduce inconsistencies in how organisations design and implement their own controls.  In addition, as the determination of whether the implementation is compliant will sit with the QSA, this may add further inconsistencies“ all the more reason to ensure you choose the right QSAC. 
• Those concerns aside, the move to an objective-based approach will allow organisations to introduce new controls or technologies without needing to wait for the Standard to catch up.

As the changes to version 4.0 are so significant, the SSC has confirmed that there will be two requests for comment (RFC) periods before the new version is released“ that release is currently scheduled for late 2020.  As with other version changes, it has also been confirmed that some requirements will be forward-dated (i.e. they will not come into force or become mandatory until a later date), but the actual number and timing for these has not yet been released.

If you have specific PCI-DSS questions or queries, please get in touch.