With PCI DSS 4.0 currently under development and whilst there is little detailed information available on the new version content, there are some practical steps to help implement this major update to the standard.
1. As PCI DSS compliance activity companies need to perform for v4.0 is currently unknown, this has become a ‘known unknown’ risk and should be included on the corporate risk register. This action will register the PCI DSS change as a business risk, which will allow executive management to review and allocate resources accordingly to protect both your business and customers.
The PCI Council has stated v4.0 goals are as follows:
- Ensure the standard continues to meet the security needs of the payments industry;
- Add flexibility and support of additional methodologies to achieve security;
- Promote security as a continuous process; and
- Enhance validation methods and procedures.
2. For budget and resource setting managers, it’s advisable to allocate resources to perform a gap review against the new standard and current working practices to identify potential changes required to maintain compliance and good security practice to PCI DSS v4.0, which is currently planned for release end of 2020.
This approach will help maximise the timeframe available to support any business changes required. The PCI SSC review cycle for significant version changes has previously expired the current PCI DSS version 14 months after the new version release.
The window when both PCI DSS v3.2.1 and v4.0 are effective is when companies should be making and applying changes to comply with v4.0. It’s advisable not to leave the gap review until two months prior to the expiration of v3.2.1. If unsure, engage a QSA company early to help review the new standard.
3. Projects currently being implemented should be reviewed to confirm if or how the release of PCI DSS v4.0 may impact the project. Project or programme managers should record the v4.0 on the project risk register and, if impacted, confirm with business stakeholders how the project should proceed with the impending v4.0 change. For example:
a. A project going live early to mid-2020: business stakeholders may agree to review the project, as it will be in production, during the wider business review to understand the impact.
b. A project going live late 2020 or during 2021: business stakeholders may agree to provide additional cost and time to review v4.0 during project implementation or accept into production and review during wider business review.
c. A project going live 2022: business stakeholders will need to agree to provide additional cost and time to review v4.0 during project implementation.
4. Merchant companies should engage their service providers (SP) to confirm they are aware of the pending update, and open communications to plan and manage the change to the new PCI DSS v4.0 requirements. For example, requirement 12.8.5 requires companies to know which PCI controls are being managed by which party.
5. It’s advisable to stay ahead of the curve and subscribe to security standards, such as NIST that PCI DSS references, and be aware of evolving technology change that would impact andor enhance your current card data environment (CDE).
For example, NIST recently released ‘Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations’. Reviewing this document prior would be good practice and help maintain the CDE, but PCI DSS Glossary, under ‘Strong Encryption’, makes reference to NIST. (NIST publication – (https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final)
If there’s a PCI DSS related topic you require guidance with or you have any queries about any of the above practical guidance, please do not hesitate to get in contact with us via the below contact form.