The new PCI DSS v4.0 is coming in 2020
We are at that time in the lifecycle of the PCI DSS where a new version is being developed and we look forward to seeing what changes and new requirements it will bring to the world.
The PCI SSC gave us a few clues about the main ideas behind this new upcoming version in a blog post back in March 2019. These ideas were:
– Ensuring the standard continues to meet the security needs of the payment industry
– Adding flexibility and supporting additional methodologies to achieve security
– Promoting security as a continuous process
– Enhancing validation methods and procedures
The Council also confirmed that input received from PCI SSC stakeholders during the RFC period will be incorporated in the standard, specifically around the following areas:
– Authentication and multi-factor authentication
– Applicability of cardholder data encryption over trusted networks
– Monitoring in the context of technology advancement
– The frequency of critical control testing
Now historically the various new versions did never dramatically change the requirements and controls from previous versions, however they built upon them and essentially changed the way assessors are supposed to perform their testing and report on results.
From this perspective, we do not expect any change in the overall philosophy of the standard, nor do we expect any change to the base structure currently made of 12 requirements.
So what changes should we expect?
The PCI SSC has to keep up with technology changes and evolutions because the standard needs to stay relevant. Technologies such as sophisticated cloud-based service offerings and related tools that supports CI/CD (Continuous Integration/Continuous Delivery), advanced virtualisation technologies such as containerisation (the likes of Docker and Kubernetes) and IaaS (Infrastructure As A Service) are just a few examples of technologies that are not currently explicitly highlighted in PCI DSS and which pose challenges to both users of the technologies and assessors.
That being said, it is likely that the PCI SSC will keep the main body of the standard relatively “high-level”, lining up security domains and objectives without necessarily mandating specific tools and technologies to achieve these objectives. We believe that this is what they mean by “adding flexibility and supporting additional methodologies to achieve security”.
When it comes to actual controls, we can only guess what will happen at this stage but it looks like we are likely to see:
– Further flexibility both in terms of selecting authentication controls and demonstrating compliance: likely aligning the requirements with NIST guidance.
– A likely new requirement to encrypt cardholder data over private networks (as opposed to “open, public network” only).
– Further flexibility in terms of selecting what to monitor and how when using some tricky technologies, imagine running a thousand Docker containers for just a few seconds depending on work load… how would you use security monitoring tools and audit logs? Or why would you monitor system access for virtual systems without any administrative access (such as the ones built using Terraform without any console or SSH access for example)?
– And a likely greater frequency of testing of critical controls… we have seen the new requirement to test segmentation controls every 6 months for Service Providers since PCI DSS v3.2, hopefully flexibility will be a factor in selecting which controls should be considered critical depending on the environment being assessed.
There is very little we know now about the upcoming version of PCI DSS however we do know that the PCI SSC is integrating feedback on PCI DSS v3.2.1 into their development process for PCI DSS v4.0.
A first RFC took place at the end of 2017 (yes, 2017), however two more rounds of RFCs are planned where drafts of PCI DSS v4.0 will be shared with stakeholders for review. These additional RFCs are currently planned for October 2020 and mid-2020.
247 CyberLabs will be invited to participate in this RFC process and we will continue to provide updates on PCI DSS v4.0 as we will obtain information about the new version of the standard.