Credit cards make the digital world go round. These days, businesses need to process credit card payments to maximize their consumer base and make purchasing as easy as possible for clients. But credit cards and related records are incredibly vulnerable to cybersecurity attacks. So, it’s important for all C-level executives in the information suite of your company to know what the new PCI Requirement 4.0 will entail.
The fourth version of the Payment Card Industry’s Data Security Standards (PCI DSS) will update regulations for all companies that process credit card payments. Unfortunately, it’s difficult to project what the exact specifications of PCI DSS 4.0 will be; it won’t be released until 2021. Nevertheless, infosec executives should be proactive and get a head start on compliance.
How InfoSec Executives Should Prepare for PCI 4.0
The PCI DSS exists in order to protect your clientele (and the entirety of your business) from the potential financial costs of a data breach. It appears that version 4.0 will simply modernize those protections, binging them up to speed with our ever-changing digital landscape.
This blog will break down what infosec executives need to know to prepare for PCI 4.0 into:
- An overview of likely changes in 4.0
- And a review of past changes
- A summary of existing requirements in 3.2.1
- And resources to facilitate compliance
By the end of this blog, you’ll be well prepared to get your institution ready for PCI 4.0.
What is PCI 4.0, and Why Does it Matter?
The DSS is developed and administered by the Security Standards Council (SSC) of the PCI. Version 4.0 is the most recent edition, but it’s still in draft form.
The SSC develops new models by starting with a lengthy request for comments (RFC) period. During this time, they listen to what industry stakeholders have to say, then incorporate those responses into the new DSS.
The DSS matters because compliance is the first step toward robust security. When 4.0 is released, it will include critical updates. According to the anticipated timeline, 4.0’s RFC started in Q4 of 2019 and is expected to stretch into Q2 of 2021. Transition into the new requirements will take until approximately Q2 of 2023, when the current version (3.2.1) will be retired.
Overview of Changes to Come in PCI Requirement 4.0
Currently, the SSC does not project major, essential changes to the DSS in version 4.0. Instead, they hope to give companies options regarding which technologies and practices they can employ to meet requirements.
According to its guide looking ahead to 4.0, there are four major goals that have guided the drafting of 4.0:
- Ensuring DSS continues to meet stakeholders’ security needs
- Adding flexibility to requirements, wherever possible
- Promoting ongoing, long-term security processes
- Enhancing validation procedures and measures
These goals indicate an interest in simplifying and facilitating companies’ adoption of the DSS. Importantly, the core of PCI DSS has not gone through many major, categorical changes since 2004’s version 1.0. Nevertheless, some changes have been relatively significant.
Significant Changes Made in Previous Revisions
Just as the SSC queries companies about changes it should make during the RFC period, it also publishes detailed documentation of any and all changes made between versions of the DSS. These changes scale in category — from clarifications to evolving requirements.
In past revisions, some of the most important changes have included:
- New in version 2.0 – New evolving sub-requirements were added (6.5.6), including enhanced testing procedures specific to high-risk vulnerabilities, in 2010.
- New in version 3.0 – New evolving sub-requirements were added (5.3), specifying that antivirus software must run continuously and cannot by disabled or altered, in 2013.
- New in version 3.1 – New evolving sub-requirements were added (2.2.3), removing SSL and early TLS cryptography as qualified “secure technologies,” in 2015.
These evolving requirements are few and far between; the vast majority of changes are clarifications or new pieces of guidance. To understand more fully what these revisions mean, and what 4.0’s core will look like, it’s important to understand the full extent of the core requirements.
Summary of Existing PCI DSS Rules (3.2.1)
As noted above, the upcoming 4.0 version of PCI DSS is unlikely to entail many significant changes to the general framework of PCI DSS. As such, the best way to know what to expect in 4.0 is by delving into the most current version, PCI DSS 3.2.1.
At the core of PCI DSS are 12 requirements, spread out across six categories. These have not changed much over the course of PCI DSS’s history; they’ve always comprised:
- Build / maintain secure network and systems
- Requirement 1: Maintain firewall or filtering configurations
- Requirement 2: Change default configurations supplied by vendors
- Protect cardholder data in storage and transit
- Requirement 3: Protect cardholder data while stored
- Requirement 4: Encrypt cardholder data prior to transmission
- Maintain vulnerability management program
- Requirement 5: Keep all antivirus and antimalware software up to date
- Requirement 6: Maintain security across all applications and systems
- Implement access control program or measures
- Requirement 7: Restrict cardholder data access by business need
- Requirement 8: Authentication all granted access to system components
- Requirement 9: Restrict physical access to protected cardholder data
- Monitor / test networks regularly and thoroughly
- Requirement 10: Track access to cardholder data and network resources
- Requirement 11: Assess efficacy of security systems at regular intervals
- Maintain a thorough information security policy
- Requirement 12: Maintain security policy and educate personnel thoroughly
Across these controls, various specifications detail the granular sub-requirements for compliance. These are precisely where any changes in PCI 4.0 will be felt, as has happened in prior updates. Infosec executives shouldn’t prepare for a complete overhaul, just adjustments.
And the best way to implement these is with professional guidance.
How to Achieve and Maintain Compliance
RSI Security has been facilitating compliance for businesses of all shapes and sizes, across all industries, since 2008. Looking into the future, our PCI 4.0 preparation services include everything your business needs to prepare for 4.0:
- Assessment and report on compliance, including onsite testing
- Self assessment walkthrough and attestation of compliance (AOC)
- Analysis of risks and vulnerabilities; in-depth penetration testing
- Gap assessment and patch management (per requirement 6)
- Robust cybersecurity education and training for all personnel
This suite is customizable; you can tailor the specific services we offer to the exact needs and means of your company. Working together, we can help you achieve compliance in the short term, and maintain it over the long term. As fully accredited advisors, we’re a one-stop shop.
That comprehensive care also extends beyond compliance to overall cybersecurity.
Professionalize Your Compliance and Cybersecurity
Here at RSI Security, we understand that your company’s cybersecurity needs are complex. You may want help complying with PCI DSS, in addition to other regulatory standards. In addition, you may require other services, like vulnerability management or a virtual CISO.
No matter what cybersecurity solution you’re looking for, we’re your first and best option. Our team of talented experts boats over a decade of experience helping companies of all shapes and sizes shore up their cyberdefenses. So, contact RSI Security today for help with every PCI Requirement 4.0 entails, as well as any other cybersecurity needs you may have.