In a recent LinkedIn Live, my colleague Bob Skinner and I discussed how organizations can prepare for the new PCI DSS v4.0 standards,
which you can watch here.
Why is PCI DSS required: Introducing the standards
As credit card use and subsequent fraud attempts increased in 2004, the major credit card brands came together to form the Payment Card Industry Security Standards Council (PCI SSC). The first standard to be developed was the PCI Data Security Standard (or PCI DSS for short), and over the years it has evolved with the changing technology and threat landscape. Most recently, the upcoming v4.0 standards — which are set to be implemented in April 2024 — have been crafted to address the latest types of breaches and to bolster protection where gaps have been identified. Most importantly, the standards set by the PCI DSS can be seen as the minimum companies must meet to ensure they are protecting cardholder data, and additional measures can be put in place to go above and beyond their requirements.
Upcoming for 2024 in PCI DSS compliance
In the years since
the creation of the PCI DSS, most iterations of the requirements have been prescriptive. In the development of the newest requirements, the PCI SSC considered feedback about how the restrictive standards made compliance difficult for some companies. Fortunately for
PCI DSS v4.0, a more customized approach option is being put in place to allow companies with specialized technology or unique environments to tailor controls to meet their needs without sacrificing security or compliance. Additionally, this tailored approach can be done on an individual control (or requirement) basis — preventing an all-or-nothing approach that could create unnecessary headaches for organizations trying to meet standards.
Changes to consider as you prepare for 2024
As organizations prepare for PCI DSS v4.0, they may be wondering what investments need to be made in hardware, software, and licensing, as well as the human and financial resources that should be planned. Some of the changes that many organizations will need to consider are outlined below:
- App development: Third-party code reviews will no longer meet compliance and must be replaced with a Web Application Firewall (WAF) requirement.
- Encryption: Disk encryption is no longer an option, and organizations will need to encrypt the data itself, not just the disk it is housed on.
- Multi-Factor Authentication (MFA): MFA applicability is being expanded, meaning organizations may need to make investments to extend MFA use to additional users and/or systems and devices.
- Third-party APIs: Organizations will need to keep a list of their third-party APIs and other code components.
- JavaScript validation: To prevent e-skimming and man-in the-middle attacks, organizations will now be required to validate the JavaScript they push from their website and ensure it’s the authorized code when receiving responses from the user’s browser.
- eCommerce: Additional documentation requirements will be in place for SSL certificates, including when they need to renew, who will be responsible for monitoring the expiration, and the strength of the encryption.
These PCI DSS v4.0 requirements are aspects of security that can be a mindset shift away from checkboxes and toward active compliance management . The changes are moving toward an expectation that PCI DSS compliance is business as usual, or just how business operations are conducted. Outside of the listed requirements, organizations still need to prepare for overarching challenges that new compliance can bring.
Potential challenges of implementation
The two biggest challenges organizations will face with PCI DSS v4.0 are risk management and planning. A significant change is moving away from an enterprise risk assessment approach and requiring a targeted risk assessment for many of the control areas. This change goes from a broad assessment to drilling down on specific control areas with the need to use mature risk management skills. This means that companies need to be thinking about maturing their risk management processes now so they aren’t behind when the rollout arrives in 2024.
Additionally, organizations shouldn’t underestimate the time and effort it could take them to reach compliance. If companies start now, there will be enough time to conduct a gap analysis, as well as two budget cycles to plan investments before April 2024. PCI DSS v4.0 is heavily focused on documentation and responsibility: Organizations are not only documenting processes but also who is responsible for each control. It is best practice to ensure there is knowledge transfer to prepare for employees leaving or retiring, and continuous documentation management to ensure responsible parties are updated.
Setting yourself up for success
While PCI DSS v4.0 may seem like an overwhelming undertaking, organizations that are starting to think about these changes are putting themselves in a strong market position. Planning and documenting are the biggest takeaways to setting yourself up for success. Organizations that give themselves the maximum amount of time to handle any gaps they identify will be happy they started early when 2024 rolls around.