PCI DSS Version 4.0: Preparing for the Future

The first quarter of the year 2022 should be an exciting time for everyone working with PCI DSS. The PCI Security Standards Council is scheduled to release first a “Stakeholder Preview” of the long-awaited PCI DSS v4.0, and then, presumably some weeks later, the official v4.0 release, with validation documents.

While the process of preparing the move from the current PCI DSS v3.2.1 to PCI DSS v4.0 has been a long one, this is simply a sign of PCI Security Standards Council’s dedication to its mission to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” For an overview and historical perspective, our PCI DSS Guide provides a look at PCI DSS development from v1.0 to the present day.

PCI DSS v4.0 should reflect a broad spectrum of industry voices, as the council represents a global forum of industry stakeholders, and the development process included extensive inputs from the Request for Comments process.

Introducing Flexibility to Enhance Security

The big question, of course, is: What’s new? The answer could be summed up: Flexibility.

Many things won’t change. From early on the PCI Security Standards Council stated “The 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data.” But the Council went on to say: “Based on feedback received, PCI SSC is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape. PCI SSC is also looking at ways to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.”

While we must wait until next year to get a better understanding of the areas in which, and the degree to which, flexibility will be allowed, the introduction of flexibility to PCI DSS compliance is good news. Flexibility and support of additional methodologies to achieve—and maintain—PCI DSS compliance, and overall security, is absolutely essential today because of the nonstop global cyberattacks coming from hackers, criminal organizations, and other bad actors.

The threatscape within which we all operate is simply too dynamic, too ever changing. While it’s anticipated the Council will continue to provide proscriptive step-by-step guidance to implement security and compliance measures, the introduction of flexibility should be embraced by security and compliance professionals. We know that it is no longer enough to receive an annual Attestation of Compliance. Achieving PCI DSS compliance is a good start, but the battle to protect credit card data, personally identifiable information, intellectual property, and all the other mission critical information held within an organization’s digital infrastructure, must be ongoing—24x7.

Preparing for Version 4.0

The PCI Security Standards Council recognizes that change takes time to implement across large organizations, which is why PCI DSS v3.2.1 isn’t scheduled for official retirement until the first quarter of 2024. But organizations should begin exploring their opportunities for enhancing security to prepare for Version 4.0 today.

The PCI Security Standards Council has indicated that one of its goals for v4.0 is to “promote security as a continuous process.” This recognizes the fact that organizations with high-value data to protect can never sit still. This is because our adversaries never sit still.

Middle school hackers can log onto the dark web and purchase kits designed to automatically detect and attack out-of-date, or unpatched, operating systems and other applications. Criminal organizations and other bad actors, including organizations operating from unfriendly nations, continually invest in developing more efficient tools to penetrate and exploit corporate networks. Artificial intelligence is being harnessed to create more convincing e-mails to trick employees into taking actions that can download malicious software—which remains a major avenue of attack.

While awaiting the release of v4.0, here are some things you can do now:

• Examine Existing Security. While waiting for the final word on v4.0, now is a great time to work with your own internal team, or with a third-party security specialist—ideally a qualified security assessor (QSA) to audit your existing security defenses. Look at what PCI DSS already requires, and then look beyond. Hire “white hat” hacking organizations for penetration testing, realizing that anything that connects to your network can be a point of attack. The Washington Post carries an article on how hackers broke into an internet-connected fish tank to gain entry to an (unnamed) casino’s network and exfiltrate 10 gigabytes of data to a device in Finland.
•  Explore Expanding use of Encryption. Data must be encrypted while at rest in a database or spreadsheet, as well as while in motion, being transmitted between devices, or sent via email. Design—and test—robust backup and disaster recovery systems. Remember that encrypting your own data does nothing to protect against a hacker’s ransomware attack re-encrypting that data, making it unreadable. The good news is that ransomware attacks can be easily survived if you have multiple backups—including backups to the cloud, and otherwise separated from the main corporate network.
• Consider Cloud Options. The PCI Security Standards Council has said: “The draft of PCI DSS v4.0 further supports the use of different technologies, such as cloud, by introducing more flexibility to the wording of requirements and adding intent statements.” This is a good time to catalog current cloud-based resources, including third-party cloud-based services. This will help you ensure compliance with whatever v4.0 requires, as well as take advantage of whatever opportunities v4.0 opens up.
• Work with a QSA. Working with a QSA should begin early. While v4.0 is expected to allow flexibility for organizations to create customized implementations for security controls, any such efforts will need to be fully documented to precisely show how any custom design will achieve all that is required to comply with PCI DSS requirements for the specific security control being addressed. The design will then need to be approved by a QSA. Early QSA involvement can help guide design and development efforts.

To summarize, in today’s digital environment, being compliant doesn’t automatically translate to being secure. Compliance and security must be ongoing efforts. The good news is that flexibility and support of additional methodologies to achieve security will be part of v4.0. This makes today a good time to begin working with your internal team, third-party security professionals, and a QSA to assess your current security profile, and begin planning for how to make your IT environment ever more secure.