New PCI DSS v4.0 receives kudos for flexibility

Standards are often force-fed to the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s global Data Security Standard (PCI DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.

“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says PCI SSC executive director Lance Johnson. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”

“We used to think that PCI DSS was a standard enforced onto us one-way, and it was something we could only accept passively,” adds Edward Mao, a senior manager in the Information Security and Privacy Governance Department at the Rakuten Group, an electronic commerce and online retailing company. “However, it is now something we do with key industry experts actively, creating a standard we believe in.”

Organizations will have two years to digest PCI DSS 4

Organizations will have two years to digest the new standard and make any changes from the current standard, PCI DSS 3.21, which will be retired on March 31, 2024. Key elements in the new standard include:

• Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls

• Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment

• Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives

• Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure

PCI DSS v4.0 built for a zero trust mindset

“One of the problems with crafting regulations or pseudo-regulations, like PCI-DSS, is that technology changes and what was once a meaningful security control ceased to be one,” says John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations company. “Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis, so the regulations needed to be changed.”

Alex Ondrick, director of security operations at BreachQuest, an incident response company, maintained that PCI DSS v4.0 is built for a zero trust mindset. “It allows organizations increased flexibility to build and tailor authentication solutions to fit their requirements,” he says. “Arguably, the most important addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts that have access to cardholder data. Although this is technically a best practice until March 31, 2024, it is a significant step toward securing systems and accounts which are accessing cardholder data.”

Customized approach requires a mature appraisal of risk

While organizations may be looking forward to the additional breathing room given to them by the customization and flexibility provisions in the new standard, Dan Stocker, director of Coalfire, a provider of cybersecurity advisory services, offers a note of caution. “Organizations will want to carefully consider their risk management options under DSS 4.0, especially where they are on the technology leading edge. The customized approach will give them great power but require a mature appraisal of the risk in deviating from the defined approach,” he says. “Likewise, where requirements allow flexible implementation, a targeted risk analysis will be required.”

“These processes are brand new in PCI, and are worth a look,” Stocker adds, “even if they may not be right for every organization.”