Any company that uses and handles credit or debit payment information from consumers needs to comply with PCI DSS, short for Payment Card Industry Data Security Standard. These standards cover technical and operational practices for handling cardholder data. Maintaining payment security is becoming more and more crucial as cybercrime becomes increasingly prevalent in our world.
In 2019, the PCI committee had an RFC (request for comment) period. This was a period of time where businesses could review the new PCI DSS 4.0 standards and submit comments that they had. Now that the request for the comment period is complete, PCI plans to release the new DSS version by the end of 2020.
To prepare yourself and your business, it’s important to look ahead to this new version of PCI DSS. While it is not a requirement to comply with these new standards until the official 4.0 version is released, it may be helpful to begin to transition your company or business towards compliance. This way, the changes that will be made can be gradual and easier for your employees to implement.
In this guide, you’ll learn what it means to be compliant with PCI DSS 4.0. You’ll also find helpful tips on how you can meet compliance standards.
What Does It Mean to be PCI DSS 4.0 Compliant?
The first thing you need to know about PCI DSS 4.0 is that its key priorities are security and flexibility. To be PCI DSS 4.0 compliant, you need to ensure that your business adheres to all of the safety standards listed in the literature. While 100 percent compliance is not required instantaneously, there will be a window of time in which you will need to address and meet all standards.
PCI compliance 4.0 is an ongoing process that requires regular monitoring and assessments of your current practices. In general, it is important to think of PCI compliance 4.0 as a continuous process that never stops.
The first step in this continuous process is to assess your compliance. During this step, your business or company needs to identify cardholder data and take inventory of your IT assets and processes for payment processing. Once that is complete, you will need to analyze your findings for vulnerabilities.
The second step towards continuous PCI compliance 4.0 is to remediate. In this step, it is the time to fix any vulnerabilities that you uncover during the previous assessment step. Part of this process is also eliminating the storage of cardholder data unless it is absolutely necessary.
The last part of the continuous process is to report. A report should be compiled with all the above information. It should then be submitted to the appropriate bank and card brands. Once these reports are sent, then the process starts itself all over again.
At the end of 2020, when the new version of PCI DSS is officially released, there are some things you will need to prepare for. First, the core requirements of PCI DSS will not be going away. This means that you will be able to keep many of your practices the same. While these 12 core requirements will not be eliminated, some changes will be made, and some new methods will be introduced.
Use the checklist below to begin to get an understanding of PCI compliance 4.0 and what you need to do to get your company on track.
The first area of focus that you are likely to see a change in the authentication process. This standard is moving towards a deeper focus on NIST MFA and password guidance. The PCI SSC plans to increase the authentication standards that apply to both the control process access logins and payment processes in general. This process has the potential to focus more closely on the use of a 3DS Core Security Standard during the authorization of a transaction. This hopes to allow organizations to construct pluggable authentication options that allow secure customer authentication.
Encryption is becoming increasingly important for companies that handle payment information. It is essential to keep cardholder data safe and on trusted networks, especially with the increased threat of cybercrime. The PCI SSC is planning broader applicability to trusted networks. The main focus of these encryption standard updates will be looking into the use of malicious code.
Malicious code or malware is a term used to describe any part of a software system that is intended to cause negative effects. These effects can be security breaches or even damage to the system as a whole. Malicious code cannot be effectively controlled by conventional antivirus software on its own.
The PCI SSC is investigating how malicious code may end up in the network. Once it is there, it can harvest cardholder information as it is being transmitted. PCI DSS 4.0 will be offering some guidance on how to fully secure your network transmissions so these data breaches will not happen.
Compliance with PCI 4.0 will require regular monitoring regarding technical advances. One example of a technical advance is pluggable options for merchants’ information systems. A pluggable database will allow for faster deployment of payment processes. This is especially helpful because the technology will not have to be located in a specific control area while still abiding by all regulations and standards.
4. Critical Control Testing Frequency
In previous versions of PCI DSS requirements, there have been Designated Entities Supplemental Validation (DESV) requirements. In the past, these requirements were typically reserved only for companies or businesses that had experienced a breach. Now, with the new PCI DSS 4.0, these DESV requirements have the potential to become standard for all industries. These requirements may include the frequency of critical control testing as well as the addition of controls in the first place.
It’s important to note that these four main areas are not the only places where changes or updates will be made for PCI compliance 4.0. Also, since the official PCI DSS 4.0 is not yet released, it is possible that this information is not 100 accurate. Please use it as a suggestion as to where we believe changes will be made based on literature from the request for a comment period.
How to Achieve PCI DSS 4.0 Compliance?
Now that you have some sort of idea about the updates and changes of the PCI DSS 4.0, how do you begin to achieve compliance for your company or business? Luckily, there are companies you can hire that can help you achieve compliance. If you are looking for an efficient and painless way to achieve PCI compliance 4.0, then you should consider looking into a security company that specializes in this area.
Qualified Security Assessor
When choosing a company, you want to make sure they are rated a “Quality Security Assessor” by the Payment Card Industry. You will also want to make sure the company you choose is an Approved Scanning Vendor as well. You can ask the company upfront for their credentials, or these stamps of approval should also be clearly marked on their website.
There are a few steps that a security company will go through to help you prepare for, and prevent cybercrime. The below list is a general overview of the steps that will be taken by a Quality Security Assessor. The exact steps and the order followed will be decided by the security assessor.
If you hire a cybersecurity company to help you with your PCI compliance 4.0, the first thing that they will likely have you complete is a self-assessment. This self-assessment will allow you to take a detailed look at your company’s payment network. It will hopefully help to identify some of the larger flaws of your system before diving deep into the nitty-gritty work. Self-assessment is the very first step before your cybersecurity partner will dive deep into uncovering and identifying the flaws in your network.
A qualified security assessor will help you through some clarification steps relating to your scope boundaries and responsibilities as a service provider. Then, they will assist you in developing a detailed and comprehensive strategy to achieve the goals you have decided upon. By the end of this step towards PCI compliance 4.0, you will be aware of your critical data and be able to move towards reducing your scope, which simultaneously will reduce costs.
During the penetration testing step, a security company will simulate a real-world attack to see where your network’s vulnerabilities lie. This type of testing is of the utmost importance to your company since it is designed to uncover weaknesses in the system. The process of penetration testing should be detailed and thorough in order to uncover as many weaknesses as possible. The goal of this step is to uncover critical issues and demonstrate how well the important information on your network is protected. Once all of these vulnerabilities are exposed, then you have a comprehensive list of which to work from. Addressing all the issues on the list will bring you closer to PCI compliance 4.0and keep your cardholder data safe and secure.
Another important step towards PCI compliance 4.0 is assessing the gaps in your compliance. This is where your PCI DSS is assessed as a whole, and places of noncompliance are identified. During this step, the assessor will create an overview of every aspect of the standards to see where you meet standards or fall short. Information will be presented in a clear and easy-to-understand way, using flow charts and diagrams to help you visualize where gaps exist. In addition to this, a formal compliance report will typically be created
An extremely valuable part of hiring an external security assessor is the employee training that typically comes with it. Either an in-person seminar for employees or an online database of interactive modules will be available. This training will train your employees to be able to identify spam, phishing, malware, and more. In turn, this knowledge will help to keep your network and your cardholder data safe and secure on a daily basis. While employee education is not a specific standard for PCI compliance 4.0, it does help to address many of the standards as your employees know what to look for when it comes to security breaches.
External Vulnerability Scanning
One of the last steps that will be performed by a Quality Security Assessor is an external vulnerability scanning. This is why you want the security assessor you choose to also be an Approved Scanning Vendor (ASV) as well. In this step, you will be able to manage and prioritize a list of your company’s weaknesses, understand how to fix them, and be able to verify your remediation process over time.
As previously stated, these steps are broad descriptions of what will likely happen when you and your company or business work with a Quality Security Assessor. The exact steps and processes vary slightly depending on the assessor you choose.
In the end, using a Quality Security Assessor is the best way to make sure to achieve proper PCI DSS 4.0 compliance. As you can see from the lists above, there are many detailed steps involved. Since compliance is mandatory for any company or business that processes cardholder data, it is necessary to complete this process accurately and efficiently in order to not miss any vulnerabilities in your system or network.
If you are not thorough, it could cause you to not be compliant and to potentially lose your privileges of being able to process credit and debit card payments for your business. If this is something you want to avoid, consider hiring a Quality Security Assessor to work hand-in-hand with you and your company so that your network is secure, and cardholders will put their trust in you to keep their data safe.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.