A Bridge Over the Chasm: A Primer on the Release of PCI 4.0

The Payment Card Industry (PCI) Security Standards Council (SSC) has just released version 4.0 of the Data Security Standard (DSS). Developing DSS 4.0 took almost four years and included several rounds of Request for Comments (RFC) from Participating Organizations and other interested parties. This new version significantly modernizes security and compliance assessment for the world of payments.

Coalfire participated in the feedback sessions that shaped the ultimate form of DSS 4.0. As the largest QSA company in North America, with a client portfolio of the largest payments organizations and service providers, Coalfire was uniquely positioned to deliver real-world insight to the process. Our deep expertise in cloud and large-scale financial industry customers aligns with the needed improvements to the DSS, both for coverage of risks and treatment options for those risks.

Twenty years of digital transformation

Vast technological changes have taken place since the original DSS; even since its last major revision in 2014. It’s worth a quick look at areas that have seen major change since PCI — as an industry self-regulation — was first developed in the mid-2000s.

• Cloud computing is now a de facto standard with increasingly complex architectures that continue to innovate. These cloud-native architectures have expanded surface area, thus more opportunities for managing risk. Earlier versions of the DSS struggled to match up with these models. In our work with AWS, Google Cloud, Microsoft Azure, and others, Coalfire pioneered assessment methods to properly position cloud technology within the DSS.
• Reliance on networks of service providers and the corresponding supply chain risks have expanded (e.g., managed security service providers), and in some cases, concentrated (e.g., cloud service providers). This has all come while PCI was being adopted by the ecosystem. Coalfire has specialized in initial assessments for many service providers who see the strategic value in offering PCI compliance support to their customers.
• Virtual infrastructure is managed with code. The known complexities of code make it hard to manage vulnerabilities, but also represents more opportunity for proactive efforts than configurations siloed on physical devices. Coalfire’s unmatched expertise with cloud and compliance puts us in the position to be able to advise and assess customers using this modern best practice.
• Innovation in the logical access space has blossomed and made one of the oldest technical areas a much more complicated and nuanced topic. Likewise, new approaches (e.g., AI and machine learning) for managing vulnerabilities have tested older assumptions about best practice.

This partial list represents a fundamental challenge for a security standard that aims at effective risk management. DSS 4.0 meets this challenge with some useful innovations and gives both assessors and assessees more options for meeting the challenge.

Implementation timeline

Q2 2022

• The SSC will offer further information on the changes in DSS 4.0 via the pcisecuritystandards.org website and blog.
• Qualified Security Assessors (QSAs) will receive specialized training for DSS 4.0.

Q3 2022

• Full assessments against DSS 4.0 can begin
• DSS 3.2.1 is still available for entities not yet ready for DSS 4.0

Q1 2024

• Sunset of DSS 3.2.1
• DSS 4.0 becomes mandatory

Q1 2025

• Best Practices in DSS 4.0 become mandatory

What’s changed from PCI 3.2 to PCI 4.0

While what hasn’t changed? might be a better question, here are some key changes in DSS 4.0:

• The Customized Approach offers organizations the room to innovate in managing risks. Essentially, these are options to rewrite the DSS to accommodate specialized approaches to manage risk. They are distinct from the established Compensating Control option, which is intended to represent a temporary measure for a deficiency.
• DSS 4.0 introduces formal risk management options for the first time. Organizations can calibrate their controls with Targeted Risk Analysis to meets various requirements. Additionally, there is now formal guidance on how to conduct such analyses.
• Some narrow approaches in earlier versions of the DSS have not aged well. DSS 4.0 expands coverage in certain areas to better capture the intention of what the requirements are aimed at. The best example of this is the Network Security Controls idea in Requirement 1, which includes all mechanisms (not just firewalls and routers) that serve to isolate networks.
• Appendix A1 now applies to all multi-tenant service providers, not just the older “shared-hosting” category. The critical goal of tenant isolation is the key focus of assessment.
• Best Practice requirements have been introduced, with a one-year grace period for implementation. Most of these represent incremental improvement or expansion of existing requirements. A good example is the mandate that Sensitive Authentication Data (SAD) be encrypted at rest.

There are many smaller updates, too. Coalfire recommends paying attention to even things that look familiar, to ensure proper alignment. As with any revision of this magnitude, a conservative approach to interpretation is warranted, to avoid undue exposure.

What does PCI 4.0 mean to companies at different maturity levels?

Coalfire sees DSS 4.0 as an inflection point in the history of PCI. The multi-year effort to gather perspectives from across the industry has resulted in a more modern standard that better aligns to current understanding and practice about managing risk. In addition to Coalfire’s experience, the broad perspectives of the many participating organizations who helped shape the standard are a strong foundation to build upon going into the future.

That said, it’s a lot of change to process. The delta is broad and deep. Coalfire has developed a flexible framework over the chasm between 3.2.1 and 4.0 to help our clients cross over. The two major variables in that framework are the maturity of your PCI compliance program, and the importance that your organization puts on compliance.

Very mature compliance programs will need different kinds of support in this transition. Likewise, organizations that derive market value from PCI compliance have a strategic interest in earlier adoption. Coalfire offers a variety of ways to meet clients where they are on the continuum and develop a plan for uplift and successful assessment.

Comments are closed.