Co-founder and chief evangelist, Ground Labs.
The Payment Card Industry Data Security Standard (PCI DSS) has been the gold standard for protecting cardholder data worldwide since its release in 2004. However, organizations have continually struggled to maintain compliance. According to the Verizon Payment Security Report 2020, just 27.9% of surveyed companies were in full compliance with the PCI DSS in 2019. This trend is symptomatic of the fact many organizations view PCI compliance as a once-a-year initiative or a box-ticking exercise (or both).
The PCI Security Standards Council (PCI SSC) recently released version 4.0 of the PCI DSS. This latest version is the most significant update to the PCI DSS since its release 18 years ago. With changes that include mandating authenticated vulnerability scans, enforcing multifactor authentication for all access to card data environments (CDE) and more frequent scope validation for some sectors, the effort required to meet PCI DSS 4.0 shouldn’t be underestimated. While the enforcement date of March 31, 2024, may seem far off, now is a critical time for business leaders, IT security personnel and compliance officers to begin planning. It’s time to evaluate your compliance status, understand any roadblocks to maintaining compliance and educate staff—especially those at the boardroom table—about the changes introduced in PCI DSS 4.0.
Understanding The Biggest Changes
Since the publication of PCI DSS 3.2.1 in May 2018, the technology landscape has shifted significantly. Our lives are conducted online like never before. In February 2019, online sales overtook traditional store sales for the first time and, commercially, the shift from on-premises IT infrastructure to cloud-based services was picking up pace. And then Covid-19 happened, accelerating demand for online services across every sector, globally. Organizations pushed through rapid cloud migrations to support remote working; contactless “non-touch” payment solutions and online shopping became the new normal. As businesses worked to re-establish themselves, so too did the cybercriminals, seeking opportunities to profit from the new expanse of internet real estate that had been released.
Since its inception, PCI DSS has focused on the threats and vulnerabilities within current and emerging technologies to make sure it remains fit for purpose. One of the biggest changes is the greater emphasis PCI DSS 4.0 places on security, promoting flexible data practices integrated within an organization’s wider security posture. The revised standard recognizes that emerging technologies don’t always fit a rigid, prescriptive control framework and introduces more flexibility to compliance through its Customized Approach. Other significant changes include:
• Passwords And User Authentication: Reflecting best password management practices and mandating multi-factor authentication for all access to the CDE.
• Scope Validation And Data Discovery: Requiring service providers to revalidate their scope every six months, identifying all locations of cardholder data and designating entities to perform quarterly data discovery exercises.
• Enhanced Monitoring: Automating log reviews using log analyzers and SIEM solutions, improving vulnerability scan results with authenticated scans and ensuring service providers support customer penetration testing.
• Increased Testing Of Critical Controls: Greater frequency of testing per the Designated Entities Supplemental Validation (PCI DSS Appendix A3).
Navigating Toward PCI DSS 4.0
Compliance is a journey, and the route is always evolving. There are no shortcuts worth taking, but there are some things you can do to help your organization navigate toward PCI DSS 4.0 compliance:
• Set Off On The Right Foot: Ensure you’re compliant with PCI DSS 3.2.1. If you’re not compliant yet, determine what your barriers are. Often, noncompliance is a problem of not knowing where all of your cardholder data resides. Regular data discovery verifies where your card data is stored and how it moves through your network. Evaluate your systems and processes, remove data you don’t need and implement controls for the rest.
• Start With The Defined Approach: As you migrate to PCI DSS 4.0, stick to the defined approach as much as possible. While the customized approach offers flexibility in how controls are met, it doesn’t negate the requirement to comply with them. By design, the customized approach demands additional evidence and stringent validation during assessment, making it more costly to deviate from the defined approach without a genuine need.
• Get Educated On PCI DSS 4.0: The new standard is complex; reading one article alone will not make you an expert. Engage a specialist to guide you through PCI DSS 4.0 and conduct regular training sessions with all employees. Gamify training and keep it interactive to help employees understand the aspects of compliance relevant to their job.
• Appoint A Chief Data Officer (CDO): There has been a marked increase in the number of CDOs in-seat, especially within large enterprises. This comes as no surprise; CDOs are often well versed in various compliance mandates. Appoint a CDO—or identify internal data experts and empower them—have regular check-ins, give them a speaking role during company meetings, and ensure each department head has regular access to and communication with them. Compliance isn’t the CDO’s sole responsibility, but they are an excellent resource to lead and manage your PCI DSS compliance and data security strategy.
• Utilize The Tools You Have: Larger organizations typically deploy several security tools—many underutilized, poorly configured and ineffective. Understanding how you can utilize the capabilities of existing tools will limit unnecessary investment costs in support of PCI DSS 4.0.
PCI DSS 4.0 is coming—fast. Don’t spend the next two years ignoring what should be a top priority within your organization. Now is the perfect time to educate yourself and your peers, gain a deeper understanding of your organization’s data and, most importantly, position your organization to maintain PCI DSS compliance for years to come.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?