A Whole New World for PCI DSS
This blog was originally published by PKWARE on November 23, 2021.
As we know, the new Payment Card Industry Data Security Standard (PCI DSS) 4.0 guidelines are coming out in Q1 of next year, with some predicting a March timeframe for its release based on previous releases. The last time PCI came out with a full update was back in 2013. Since then, things have changed considerably in the industries of data security, privacy, and technology that must be upheld by the new standards. Our VP of Privacy and Compliance, Chris Pin, recently spoke on the Security & Compliance Weekly podcast to discuss this exact topic, which we’ll recap here.
A Quick History of PCI DSS
While there have been small updates to PCI DSS 3.0 since its release in 2013 (with 3.2.1 being the latest version), 4.0 will be the most comprehensive one in the past nine years. Before that, PCI 1.0 was released in 2004 and the PCI Security Standards Council was created in 2006. In 2010, PCI DSS 2.0 was released and finally, 3.0 in 2013. As you can see from the history, there were only a few years between the other major updates. However, it’s been nearly a decade for this latest major release. So, what’s taken so long to release these new standards?
The PCI Security Standards Council began the drafting process for 4.0 in 2019. Since 2013, the world of technology has moved so incredibly quickly, that the council wanted to make sure it did a thorough scrubbing of the standard, to address the new world we live in. For example, since 2013, cloud migrations and the adoption of related technology have increased. Virtual container environments and serverless, for example, have redefined cloud security and companies are relying much more on outsourcing to get it done. Version 3.0 was not designed for these kind of modern IT environments, so 4.0 will have extensive language to clarify what needs to be done to reach compliance for those scenarios.
Additionally, Software as a Service (SaaS) and Platform as a Service (PaaS) have become more widely used. Many companies that provide those services for cloud management are heavily involved in storing credit card data, which means those cloud vendors also need to be compliant with PCI DSS. Finally, there are an abundance of ways for consumers to pay for products and services online, and thus, more credit card vendors that need to uphold PCI DSS standards. Because of this, 4.0 will bring a lot more scrutiny on third parties, and companies will need to carefully assess who they are choosing to do business with.
QSA Guidance and Privacy Regulations Add New Layers to Compliance
We took an early look at what to expect in 4.0 in a previous blog, but Chris and the podcast hosts discussed a couple additional items they would like to see in 4.0 or future iterations to standardize PCI DSS evaluations. The first item is the need for more direction for Qualified Security Auditors (QSAs), as they would benefit from additional guidelines on what to look for and how to test for PCI DSS compliance. Currently, it varies by QSA on how deep they want to dig to assure compliance, but clearly outlining what an assessor should be looking for will help standardize the process, rather than it being based on each individual’s experience. Specific training on the technical side of compliance would also be helpful for QSAs, as some of them don’t have a technical background and aren’t as well-versed in what they are looking for in those areas.
Additionally, in Part 2 of the podcast, Chris and the hosts discuss how most startups that were formed in the last decade are not familiar with PCI DSS, but that these companies are still collecting a lot of credit card information. While some are getting more integrated with large vendors, others are using smaller, third-party companies to handle their PCI DSS compliance, which makes sense because they often don’t have the funds and infrastructure to handle it themselves. Additionally, ever since General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) passed in 2016 and 2018, respectively, companies are also required to understand what data they have, why they have it, and provide it upon request. Thus, as companies invest in data discovery tools, they’re more liable to comply with PCI DSS: If their tools can find all parts of consumer data, they can uncover and find credit card numbers too.
Getting an Early Start
As a whole, PCI DSS 4.0 is going to look similar to 3.0 and its iterations, because the fundamentals of security don’t change—it’s how you perform the tasks with new technology, environments that evolves. The differences with 4.0 can mainly be summed up by the standards doing away with archaic requirements that don’t apply anymore to modern technology, giving more flexibility in how companies meet compliance and more explicitly stating language that could be seen as confusing for QSAs.
While PCI DSS 4.0 won’t be fully enforced until 2024 at the earliest, it’s never too early to start thinking about your company’s privacy and compliance roadmap.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.