Looking ahead to PCI DSS Version 4.0
Firstly there are not going to be any spoilers in here I am afraid; while Foregenix participates in feedback on all PCI SSC issued standards and is an active member of the Global Executive Assessor Roundtable (GEAR), we do so under non-disclosure agreement, so we will not be commenting on the draft of PCI DSS version 4.0 that we provided feedback on. PCI DSS v3.2.1 has been around for a number of years and based on the standard lifecycle will be replaced shortly.
The first question that we receive is about when the new PCI DSS standard will be issued. Here is the diagram from the PCI SSC issued “Lifecycle for Changes to PCI DSS and PA-DSS document”. Based on this the expectation will be that by Q4 2020 a new version of PCI DSS will be published.
The second question is always about new requirements. As we mentioned there will be no specifics in here, but obviously as the threat landscape changes for merchants and service providers who handle cardholder data the standards will evolve and document appropriate controls to mitigate the risks identified.
The PCI SSC issued a blog post on PCI DSS version 4.
In this there are some hints at what is to come; some are worth specific mention:
Broader applicability for encrypting cardholder data on trusted networks
The understanding here is that cardholder data should be encrypted at all points during the transmission on internal network zones. What this means is that organisations should start to consider the encryption strategy and the approach for this. Large high volume environments that have used traffic management devices such as load balancers with crypto accelerators to reduce the overhead on server compute resources to handle TLS connections may have to look and see if data is encrypted in other ways outside of the transmission medium.
For smaller environments this is probably not such an issue as transaction processing times will not be impacted or only negligibly impacted.
Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements.
This is going to help the QSA community enforce the requirements for scope validation as being the responsibility of the entity being assessed with supporting specific requirements to be validated by the QSA. The DESV program focuses a lot on scope validation, management and review to ensure continuous BAU processes are designed by designated entities. The program also pushes the requirement for review and reporting on control failures with a lot more focus, which would be welcome additions for large complex environments.
One area to keep an eye on as a merchant will be the Self-Assessment Questionnaire (SAQ) documents that will be updated for the launch of PCI DSS version 4.0. Under the changes for PCI DSS version 3.2, additional requirements were added (especially to SAQ A) which allowed for better management of e-commerce environments. As a PFI, Foregenix still sees significant shortfall in the adoption and education of small e-commerce merchants with respect to the PCI DSS requirements which apply to them, the hosting providers they use and the development agencies responsible for updating and maintaining the sites.
Add flexibility and support of additional methodologies to achieve security
Based on our understanding, this will introduce a new method for validation to the PCI DSS assessment and replace the existing approach to compensating controls. For Foregenix customers, this will facilitate validation through demonstration of how risk management strategies and entity-designed controls have mitigated risk to cardholder data.
With any new requirements the PCI SSC always provide an implementation date, so while the standard is published and issued entities who have not planned and implemented new controls can still certify to the new standard up until those requirements become mandated, for those familiar with PCI DSS version 3.2 this included new controls and when the implementation date passed 3.2.1 was issued to include the now mandated controls.