Standards are often imposed on the industries they govern, but that doesn’t appear to be the case with the latest version of the PCI Data Security Council’s Global Data Security Standard (DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.
“The industry has had unprecedented visibility and impact on the development of PCI-DSS v4.0says PCI SSC Executive Director Lance Johnson. “Our stakeholders provided substantial, insightful and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”
“We used to think that PCI DSS was a standard that was forced on us one way, and that it was something we could only passively accept,” adds Edward Mao, senior manager of the Information Security and Privacy Governance Department at Rakuten Group, a E-commerce and online retail company. “However, now it’s something we actively do with key industry experts, creating a standard that we believe in.”
Organizations will have two years to digest PCI DSS 4
Organizations will have two years to assimilate the new standard and make any changes to the current standard, PCI DSS 3.21, which is set to retire on March 31, 2024. Key elements of the new standard include:
- Updated firewall terminology for network security controls to support a broader range of technologies used to meet security objectives traditionally served by firewalls.
- Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access to the cardholder data environment
- Greater flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of specific risk analyzes to allow entities the flexibility to define the frequency with which they perform certain activities, as best suits their business needs and risk exposure.
PCI DSS v4.0 Built for a Zero Trust Mindset
“One of the problems with making regulations or pseudo-regulations like PCI-DSS is that technology changes and what was once a meaningful security control is no longer a significant security control,” says John Bambenek, lead threat hunter at Netenrich, an IT department and digital security operations company. “Firewalls were important 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis, so regulations needed to be changed.”
Alex Ondrick, director of security operations at BreachQuest, an incident response company, said that PCI DSS v4.0 is designed for a zero-trust mindset. “It allows organizations more flexibility to build and tailor authentication solutions to fit their requirements,” he says. “Possibly the most important addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts that have access to cardholder data. Although this is technically a best practice as of 31 March 2024, is an important step toward the security of systems and accounts that access cardholder data.”
Personalized approach requires mature risk assessment
While organizations can look forward to the additional breathing room that the customization and flexibility provisions in the new standard provide, Dan Stocker, director of Coalfire, a provider of cybersecurity advisory services, offers a note of caution. “Organizations will want to carefully consider their risk management options under DSS 4.0, especially where they are at the forefront of technology. The tailored approach will give them great power, but it will require a mature assessment of risk when deviating from the defined approach,” he said. he. he says he. “Similarly, where the requirements allow for flexible implementation, a specific risk analysis will be required.”
“These processes are brand new to PCI and are worth a look,” adds Stocker, “even if they may not be right for every organization.”
Copyright © 2022 IDG Communications, Inc.