This is it, the best ever PCI DSS and what is hoped will be the definitive version. Despite being a major version change, the 12 core requirements we know and love remain. But there are some significant changes planned.
In headline terms, the update is determined to make the standard more flexible and more open to new technologies. Experiences with cloud/hosted technologies (who needs to be indemnified by whom?), and tokenization and P2PE technologies - both of which were promoted by vendors as game-changers - all took years for the PCI SSC to validate them.
To this end, there is a new concept being introduced known as ‘Customized Validation’. The aim is to give organizations and their QSA (Qualified Security Assessor) much greater license to meet the intent of the requirements. It’s an evolution of the current ‘Compensating Controls’ path to compliance whereby alternative controls can be used to provide equal or greater risk mitigation for situations where DSS requirements cannot be met to the letter of the standard.
Why is this a significant development? Anyone watching the development of PCI DSS 4.0 will know that it takes a long time to go through an update: At least two rounds of Request for Comment and discussion, then supporting materials need to be produced. It’s likely that Version 4.0 will be available for 2 years prior to the retirement of PCI DSS v3.2.1.
As such, the implied flexibility of the new version should prove valuable to everyone involved, including the QSAs and the PCI SSC (Security Standards Council) themselves. New solutions to PCI challenges can be adopted far more quickly, without needing to wait for formal ratification into the DSS.
But since security controls are largely still the same, it’s not surprising that the requirements of the PCI standard are not radically different.
Key highlights include:
- Introduction of ‘Customized Validation’ as covered earlier, intended to give the PCI DSS longevity and stability
- MFA (multi factor authentication) being promoted because it is now an eminently available and relatively straightforward add-on, with Smart Phone-based authenticator apps reducing cost. In the recent Verizon DBIR, 37% of breaches involved the use of stolen credentials and the most common varieties of malware were password dumpers, making this one of the more serious threats.
- And most significantly, a move to step-up the effectiveness of the DSS by making security controls integral to ‘Business as Usual’ operations
To explain this final point, who hasn’t heard of ‘checkbox compliance’? It may be a cliché, but also too often the reality, with ‘gesture security’ being the norm. Therefore, the promotion of Business As Usual incorporation of PCI Processes and procedures is a positive move to ensuring that cardholder data is better protected at all times, not just during an audit!
For the PCI SSC to be encouraging continuous operation of controls is an especially interesting development when compared to the take-up challenge for NIST 800-171. By contrast, the DoD are currently – in effect - lowering their cybersecurity bar via the CMMC program (Cybersecurity Maturity Model Compliance), providing a baby-steps approach to encourage the adoption of NIST 800-171 controls.
In fact the mandate to ‘verify PCI DSS requirements for every change, and build this into change management processes’ has always been a part of the PCI DSS. However, prior to Version 4.0, this was always an optional Appendix to the main standard, only applicable to organizations processing the largest volumes of card data.
Making this a standard requirement for all organizations brings the PCI DSS into line with other leading security controls frameworks where ‘change control’ is a consistent, central theme. It’s an area of specialization for NNT under the brand of SecureOps™.
SecureOps™ is short for Secure Operations. It includes a combination of the essential, foundational security controls as prescribed by all leading security frameworks such as The CIS and NIST with the operational discipline of change management and the innovation of change control, pioneered by NNT.
By ensuring the basic and essential security controls are in place, combined with the ability to validate the safety of all changes, organizations can prevent and protect against cyber-attack while improving IT Service Delivery quality.
But the crucial difference with SecureOps™ is it provides highly automated, comprehensive visibility, analysis and validation of change for provably effective Change Control.
It’s a genuinely new and effective way of automating security controls, and exactly in line with the true intent of the PCI DSS.
Embedding security controls into Business as Usual IT processes is the only way to provide consistent, round-the-clock defenses. Even though we won’t get a final version of PCI DSS 4.0 until midway through 2021, the cybercriminals won’t be waiting, and neither should any Cyber Security Professional looking to counter the threat to data. The time is now for SecureOps and change control.
Share this post