Are you a service provider or merchant that stores, processes, or transmits cardholder data? If so, prepare accordingly — version 4.0 of the Payment Card Industry Data Security Standard (PCI-DSS) is soon to be published.
Roughly 20 years ago a boom in e-commerce pushed credit card brands to take a fresh look at their approach to securing the cardholder environment. With new threats around web-based transactions, there was no protocol or set standard to ensure the secure and consistent processing, storage, and transmission of credit card data. Against this backdrop came the first version of PCI-DSS as a common standard designed to help protect cardholder data. The Payment Card Industry Security Standards Council and credit card brands have since solidified their role in governing credit card transactions.
While the specific requirements of PCI-DSS may change with each new version, the overall goals have always been roughly the same:
- To promote security as a continuous process
- To enhance validation methods
- To add flexibility and support a variety of additional methodologies to achieve security compliance
- To ensure the evolving and constantly changing security needs of the payments industry continue to be met
Version 4.0 is set to be released in Q2 of this year with PCI Internal Security Assessor/Qualified Security Assessor training and support documents coming shortly thereafter. This version will account for recent technological advances, and will anticipate the challenges organizations are facing in a rapidly evolving cyber threat landscape.
Organizations must remain diligent by maintaining their security controls in accordance with version 3.2.1 of the standard. “Doing so helps ensure security remains strong and paves the way for a smooth transition to the new version,” said Marvin Odor, PCI Security Practice Lead at TELUS.
Version 4.0 will bring changes in the following six key areas:
- Flexibility – Customized implementation to meet the intent of security controls
- Security – Stricter requirements to accommodate evolutions in technology
- Authentication – More focus on multi-factor authentication/password guidance
- Encryption – Broader applicability on trusted networks
- Monitoring – Technology advancement requirements
- Critical Control Testing Frequency – Possible inclusion of Designated Entities Supplemental Validation (DESV) requirements
“The term ‘PCI compliant’ is not an empty buzz-phrase but something potential partners are actively seeking,” said Odor. “Clients will almost always opt to work with compliant as opposed to noncompliant organizations. There’s really no getting around that. Noncompliance is linked in people’s minds to higher risk and a lack of professionalism.”
Diligence and Flexibility
PCI-DSS version 4.0 will contain a new validation option that allows organizations using atypical security approaches to take a custom approach. This means flexibility and support for new or different methodologies used to achieve strong security.
“Even companies with technology that at first blush might not meet PCI requirements may be able to show how, with sound risk management, their implementation meets all objectives,” said Odor. “Security controls will need to be defined and documented, and a targeted risk analysis must be completed that includes testing and management of the control.”
Commit to Compliance
As with previous releases, there will be a transition period after the formal release of PCI-DSS version 4.0. This gives organizations two years to fully transition to the new 4.0 standard.
The transition period will allow for organizations to focus on budgetary and organizational changes necessary to achieve compliance. During this period organizations are strongly advised to work on a comprehensive transition plan that can be implemented once the new standard is enforced. TELUS recommends that organizations designate a compliance manager who will lead and oversee compliance internally.
“Preparation begins today,” said Marvin Odor. “Be diligent. Maintain your version 3.2.1 security controls as part of your business-as-usual processes. This will put you in the best possible position to comply with version 4.0 after it is published.”
In the meantime, if you’re concerned about PCI compliance, or worried about what the new standard may mean for your organization’s compliance, engage a PCI Qualified Security Assessor (QSA) who can provide expert security recommendations and guidance to remedy weaknesses or problem areas in your current PCI processes.
TELUS PCI Compliance Services has QSAs allocated across Canada who can provide you with the expert security guidance you need to pursue PCI compliance. Learn more