PCI DSS 4.0 is Coming – Are You Ready?
The next version of the Payment Card Industry Data Security Standards is scheduled for release early next year. It might be too soon to know what will change when PCI DSS Version 4.0 is released, but we can look for clues in the PCI Council’s blogs and feedback reports from industry sources who have reviewed early drafts.
Goals for PCI DSS v4.0
Based on the feedback received, PCI SSC evaluates how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape. PCI SSC is also looking to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.
These are some of the high-level goals for PCI DSS v4.0:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
Key Changes to Anticipate with PCI DSS 4.0
- Flexibility: Customized implementation to meet the intent of security controls
That is probably the most significant change that will come into place when PCI DSS 4.0 is released next year. The 12 requirements will shift to focus on the main security objectives reviewed in the RFCs.
The new, customized validation approach will sharply define the security outcomes linked to each requirement. With PCI DSS 4.0, organizations will have the ability to choose to perform the control as prescribed or opt for customized implementation. With customized implementation, organizations can comply by showing that they met the intent of the requirement without needing to provide an operational or technical justification.
That change will allow businesses more flexibility in modifying their implementation procedures and meeting the intent of the requirement. To verify the effectiveness, external evaluators must review the documentation and thoroughly test each control with a custom implementation.
- Security: More stringent requirements
The ultimate goal of PCI DSS continues to be ensuring that all sellers safely and securely store, process, and transmit cardholder data. It is fair to assume that PCI DSS 4.0 will set the bar higher and build on the assurance of PCI-DSS v3.2.1. In addition to restructuring many of the requirements, the Summary of Changes will likely include strengthened security standards. Top management, including CISOs and CTOs, should prepare to adjust budgets to allocate capital and operational funds to implement the new requirements.
- Authentication: A focus on NIST Password Guidance & MFA
National Institute of Standards and Technology (NIST) Password Guidance moves to the forefront in this new version. The PCI SSC places more focus on applying stronger authentication standards to payment and control process access log-ins. It has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization.
- Monitoring: Technology advancement requirements
There are likely to be more risk-based approaches in the new PCI DSS 4.0. Technology evolves rapidly, and companies are looking at pluggable options for their information systems, much like the PCI Software Security Framework. Adopting these solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.
Challenges to Consider before v4.0 is released
The core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still critical components of securing credit card data. However, organizations should consider the potential changes to PCI DSS requirements, as decisions that are being made now about IT infrastructure and policy could be affected by those changes.
The transition period could aggravate some challenges associated with obtaining and maintaining compliance with PCI DSS. First, there’s the threat of configuration drift. Organizations should have a goal in mind to ensure that systems in their cardholder environments remain compliant.
As always, organizations must demonstrate compliance to auditors. Time and resources must be allocated to complete the auditing process. These resources could be substantial, depending on the number of assets, tests, and controls that are in place. Organizations need to have historical data to prove compliance over time. Depending on their available resources and the size of their cardholder data environments, organizations might also find it impractical to audit all of their systems. Such a decision could prove costly if any threats remained unexposed, leaving their systems vulnerable to attacks.
Ransomware today is a billion-dollar industry. It’s crippled industries like healthcare, infrastructure, telecommunications, and finance. Hackers carry out cyberattacks at the private and public levels, and threat actors have no regard for the implications their actions have on our national and global financial security.
These attacks are possible by the ongoing presence of weak security controls and outdated operating systems. Looking ahead, it’s likely that malicious actors will continue to use ransomware to target a variety of industries. They’ll also probably go after individual organizations’ Point of Sale (POS) systems, as EMV chip cards have made data scraping nearly impossible.
One of the primary goals of PCI DSS v4.0 will be to promote security as a continuous process so that organizations can remain compliant over time.
CSP PassPort® and PCI-DSS Compliance
CSP PassPort provides important security features for NonStop servers (with or without Safeguard) and greatly expands the Guardian security package.
While Safeguard provides a range of authorization and authentication controls, additional controls are required to manage how users log onto TACL and OSH, and what privileged commands they can use. In addition to this, once a user has logged on, it is critical to control which activities they can then carry out.
CSP PassPort addresses some of the following PCI-DSS requirements:
|Requirement 7||Restrict access to cardholder data by business need-to-know|
|Requirement 8||Identify and authenticate access to system components|
|Requirement 10||Track and monitor all access to network resources and cardholder data|
|Requirement 12||Maintain a policy that addresses information security for all personnel|
CSP PassPort provides comprehensive user and command control, password quality enforcement and auditing. It controls and filters user access to systems, programs and commands according to customized user profiles. It offers superior user authentication, command control, session control, accountability, and auditing capabilities not available with Guardian or Safeguard security.
All user terminal input/output operations (including OSS) can be monitored via an easy-to-use GUI interface, while an audit process records all user activities.
User Account Update Screen
- Limit user access to sensitive assets, programs and commands
- Improve user accountability and audit activities
- Track powerful user id’s and commands
- Prevent easy hacks by enforcing Password Quality
- Eliminate the need to disclose sensitive SUPERID passwords for executing commands
- Generate extensive reports of user activities
- Get real-time notifications with Alert-Plus, and forward logs to SIEM for analysis
- Monitor and audit user sessions down to keystroke level
- Role-based user access
- Time restrictions by command and program
- User Authentication SEEP to prevent users from logging on outside CSP PassPort
- Powerful Custom Reporting
- Control client connections by IP address or IP address ranges
- Multi-factor authentication support (coming soon!)
Learn more about CSP PassPort here.
For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com
We Built the Wiki for NonStop Security ®
+1(905) 568 –8900