From tap-to-pay credit cards to purchasing through voice tech, the way we pay and process payments is changing faster than ever. It’s no surprise that the most recent PCI Security Standards Council Community Meetings have been all about change — specifically the evolution of cyberthreats and the changes organizations must make to secure payment data.
One of the biggest changes coming to payment processing is the upcoming PCI Data Security Standard Version 4.0, or PCI DSS v4. The first draft was released in October of 2019, and while this isn’t the final version of the new requirements, it does give us a sneak peek at what’s to come.
What’s Changing in PCI DSS v.40?
According to the Council’s Global Head of Standards, Emma Sutcliffe, the 12 core requirements of the PCI DSS will remain fundamentally the same. However, several new requirements are being proposed and reviewed. These new requirements are intended to address evolving security threats to payment data, while at the same time allowing flexibility for how organizations choose to fight them.
In short, this means that organizations will still need to meet PCI DSS standards, but they will also have more freedom to customize how they choose to meet those standards. Organizations will no longer need to meet PCI standards word for word, so long as they can demonstrate the intent to meet standards with a thorough, defense-in-depth approach.
One example of how this may play out is password security. Instead of inconveniencing employees to choose a new password every month, an organization may instead choose to employ stronger passwords, stricter privilege access management and multi-factor authentication.
Rather than focusing on how organizations meet standards, v4 will focus on the intended security outcome. Says Sutcliffe, “For many requirements, this is achieved by simply changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’.”
This doesn’t mean that organizations must change their current PCI-validated approaches — it simply allows for customization if desired. For that reason, it has been proposed that customized validation should replace compensating controls in PCI DSS v4. If your organization was previously validated via compensating controls, you will no longer be required to provide a technical or business justification for meeting the requirements. Instead, customized validation will require organizations to justify their individual security strategies based on outcome rather than methodology.
Through outcomes-based requirements, the Council aims to become more technology-agnostic and address emerging payment and data technologies, including the cloud and other innovations that are changing the way we process payment information.
The most recently released draft of v4 is by no means final. In October, the PCI Security Standards Council called for a request for comments, opening up the draft for feedback from participating organizations, qualified security assessors and approved scanning vendors. Changes and revisions are sure to come, and the Council will allow plenty of time for organizations to get up to speed before implementing the new requirements.
But one thing is for sure: v4 will be customizable and outcomes-focused, allowing organizations more freedom to develop evolving defense-in-depth strategies.
Are You Protecting Your Payment Data?
As threats to sensitive data evolve, so should your cybersecurity strategy. If you’re looking to protect payment information from cybercriminals, you must devalue all valuable data and take a holistic approach to security.
Bluefin specializes in PCI-validated Point-to-Point Encryption (P2PE) products that safeguard cardholder data entered at the point of sale or over the phone, and tokenization of Personally Identifiable Information (PII), Personal Health Information (PHI), and payment data entered online with our ShieldConex® platform. We are a staunch advocate of devaluing all valuable data and taking a holistic approach to security.