PCI DSS v4.0: A Year Later and Two Years to Compliance
A year since the introduction of PCI DSS v4.0 and two years closer to the deadline for compliance, how has this new version been embraced, and what does it mean for the meeting of security and compliance? Dan Raywood looks into the new requirements.
The end of March 2022 saw the introduction of a new version of the Payment Card Industry Data Security Standard (PCI DSS) which made some attempts to keep up with modern cyber attack techniques and ultimately prevent their success.
Replacing version 3.2.1, version 4.0 was released on 31st March 2022, and the deadline for compliance is March 31st 2025. Meanwhile, version 3.2.1 is retired on 31st March 2024, so a business can still be audited to that version until that date.
Described as being “more responsive to the dynamic nature of payments and the threat environment” by the PCI Security Standards Council (SSC), the intention was to “reinforce core security principles while providing more flexibility to enable diverse technology implementations better.”
Ultimately, the four main goals were: to continue to meet the security needs of the payment industry, promote security as a continuous process, add flexibility for different methodologies, and enhance validation methods.
In fact, security was critical to its development, as among the new requirements were expanded multi-factor authentication requirements, updated password requirements, and new phishing training requirements.
A year on from the launch of this new standard, how well received has the new standard been? One podcast described it as a significant evolution, as the standard had been relatively static for ten years, with the last minor change being five years ago. “Simultaneously to that change, the world and cybersecurity worlds changed, and [especially] with the move to the cloud.”
Jason Wallis, principal consultant and QSA at One Compliance Cyber, admitted that the change from 3.2.1 to 4.0 was significant and “would be slightly onerous” for some businesses, particularly in updating policies, procedures and processes. Still, in reality, there is not too much that a company would need to do.
“New requirements have been added because PCI SSC has taken into account current threats that have come around,” he says. “Each day, new attacks are discovered where hackers are getting into businesses, and as those threats increase and new threats come about, the standards to protect companies should advance with the new threats.”
One particular threat is card skimming. Wallis refers to the British Airways incident from 2018, which affected 380,000 customers, saying this has been addressed in new requirements. This now means the business has to know precisely which scripts are displayed in their customers’ browsers and, in some cases, have to add change detection technology that would alert them to any changes to any configuration within their payment page.
Saying the new requirement has followed feedback on new threats, Wallis says this type of Man in the Middle attack is often enabled by weak password credentials or access control, and it “can be undetected and could go on for many, many months”, he says.
“The merchant sometimes doesn’t even detect it themselves at all, and it’s not until the acquiring bank informs them ‘we’ve got lots of customers that say that they’ve been breached or saying they’ve had card details stolen’.” He says that actively looking at which scripts are running on a payment page at any one time or using some change detection software should lower the risk of someone getting in the first place.
“First of all, you’re increasing the access control requirements to make it harder for them to get it, and then if they did get in, you have an extra requirement that makes it more likely to be detected earlier.”
To the introduction of cloud and hybrid environments in general IT practices, especially with the introduction of AWS, Azure and Google Cloud, there is the consideration of their compliance as well as your own. Wallis said there are levels of compliance within those platforms, and Google Cloud will meet some requirements on your behalf while other requirements are shared, and for some others, the merchant is responsible for.
Simon Turner, senior manager of ISSCA Consultancy Services and ISA at BT, says the cloud factor is one of the significant focus areas of version 4.0 as “version 3 was terrible for mapping to the cloud and as “QSAs are reliant on technical expertise, version 4.0 is definitely mapped towards cloud technologies now.”
Has the introduction of version 4.0 been a positive thing? Turner says in terms of benefit to the industry; then it’s definitely worthwhile. “In terms of QSAs and security professionals, then it’s a step in the right direction: some security professionals may say it doesn’t go far enough, but what people have got to understand is the business needs to operate and has to take payments in order to operate.”
For those businesses that only need to complete self-assessment questionnaires, the requirements for extra assistance to achieve compliance will likely be reduced. However, there is expected to be increased demand for QSAs from those level-one businesses that process millions of transactions.
Turner says some businesses comply with PCI DSS as “it is a contractual thing, whereas some larger entities are 100% committed to protecting the brand.” That is where there is a need for consistent compliance, and ensuring that you fit within ISO 27001 is a vital step in that direction to ensure that you’re doing things correctly.
While both standards focus on technical and organisational controls, PCI DSS tells you what it expects to see in unambiguous terms. In contrast, ISO 27001 allows organisations to determine what the command will look like relevant to risk appetites.
There is a clear indication that security measures are particularly crucial to this new version and that the SSC is considering future attacks and how to best defend against them. Does this make a step for security enabling compliance? It may be a step forward, as meeting these requirements will involve some security levels.
Unlock Your Compliance Advantage Today
If you want to start your journey to PCI DSS compliance, we can help.