There are exciting times ahead for the PCI DSS as it aims to shift its position and up its game. Historically the PCI DSS has been criticised for being behind the technology curve, but as its latest iteration (version 4.0) is prepared for release by the Payment Card Industry Security Standards Council, we anticipate changes that will keep the standard in the here and now.
6 PCI DSS v4.0 changes we are anticipating:
1. Improved controls around software development
The OWASP Top 10 has recently been refreshed. As a project, it does a great job to minimise risks to web applications, but sadly, changes to its guidance often go unnoticed and vulnerabilities are present from day one which really ought not to be. As a security professional it's important to keep up to date with trends and development within the industry, so why wouldn't a developer? As part of the PCI DSS v4.0 changes, expect to be asked to provide assurance that your development practices are fresh and the developers up to date with security awareness training too.
2. Be confident of your in-scope environment and write it down
Up until now, the need to confirm your in-scope environment has been a precursor activity in the PCI DSS before the requirements even start, and therefore not a requirement itself; to that end, it could end up being a mish-mash of documents and sometimes just in a person's head.
As environments begin to leverage new technologies, third parties and ever-increasing complex processes, getting a handle on all these systems to ensure compliance is a challenge; both for you day to day and your QSA each year.
Anticipate that you're going to need to formally document your in-scope environment; it shouldn't be difficult as they're your systems. For those operating ISO 27001, that's just like your certification scope. Think people, process and technologies and you're already halfway there. This is also going to assist you in selecting a QSA partner as you can bring them up to speed very quickly along with obtaining details around assessment activities.
3. Tweaking across the board
The 12 title requirements will not change, but within each of them, there are likely to be uplifts. Those are probably going to impact procedures or technologies, but remain calm. The PCI SSC and Payment Brands have already identified the significance of what is ahead and the transition timelines for moving to PCI DSS v4.0 are the most generous seen for a major release. Whilst v4.0 is slated for release early in 2022, organisations will have up until early 2024 to transition, at which point v3.2.1 will be retired. Whilst operating PCI DSS compliant environments is a business-as-usual activity, planning for migration to version v4.0 can take the form of a project. Nettitude will be available to provide support for those projects and ensure you're on the front foot.
4. Information about related programs
The current version of the PCI DSS includes information around PA-DSS and how this links to the efforts within the PCI DSS. With time being called on the PA-DSS program (which is being retired in October 2022), expect the latest version of the PCI DSS to give details of how the Software Security Framework ties in.
5. A new method for assessment
Business processes evolve, technologies evolve and so the PCI DSS is providing a mechanism to let the assessment support such evolution. Version 4.0 will continue to support the traditional approach to assessment which is titled 'defined approach', where the assessor will use the testing procedures defined to mark items in place. In addition to the uplift of the requirements, PCI DSS v4.0 will see the introduction of the 'customised approach'. This describes the objective of a requirement and organisations can have their people, process and technologies assessed against the objectives which will allow for different implementations that achieve the same goal. The standard will likely have lots of details around this to ensure it is used effectively where needed.
6.Stronger password requirements
The password requirements within PCI DSS v3.2.1 are not really in keeping with good practice guidance so these are likely to be improved with a much greater 'encouragement' to be using multi-Factor authentication within your in-scope systems.
How is Nettitude able to assist?
Having been a QSA company for over 12 years, Nettitude has extensive experience in helping our clients transition to the updated version of the standard. We have been keeping a close eye on the expected changes to PCI DSS v4.0 and will be providing updates to our clients through webinars and educational sessions upon the release of the new version in 2022.
We are here to help you take full advantage of changes in a way that most benefits your organisation.
Find out more on why you should choose Nettitude as your PCI DSS compliance partner here