In a little over a year, the PCI SSC will be releasing PCI DSS 4.0. Is your organization prepared to meet new compliance standards or are there gaps in the current version that need to be addressed?
The Payment Card Industry Data Security Standard (PCI DSS) is an integral part or risk reduction when it comes to debit and credit card data loss. It outlines standards and actions to take in order to prevent and detect data breaches as well as how to respond when a data breach occurs.
When it comes to PCI compliance, financial institutions often have a head start over retailers as they are more mature in their information security programs and are audited multiple times each year by a number of internal and external auditors in accordance with SOX, FDIC, and other entities.
Largely, financial institutions are not the priority when it comes to ensuring PCI compliance, particularly by the major card brands. Instead, the focus lies on retailers, who are more likely to suffer a breach and have less mature information security protocol in place.
That said, there are still some trouble spots for financial institutions, particularly where existing audits and compliance protocol don’t necessarily overlap with PCI. Additionally, each time a new version of the standard is released, both retailers and financial institutions must review where they need to make changes or improvements to remain compliant.
As entities that may be under less scrutiny from examiners, there are several key areas to which security officers should pay attention in order to avoid a devastating breach. The first of these areas is encryption of data at rest. Current PCI requirements under section 3.4 require that primary account numbers (PANs) be truncated, encrypted, tokenized or otherwise rendered unreadable anytime and any place it is stored.
Secondly, financial institutions should pay attention to network segmentation to limit compliance scope. This isn’t a mandate of PCI; however, it is a way to limit the scope of the cardholder data environment (CDE) and reduce costs, especially where there are multiple facilities or branches that are currently reliant on traditional network architecture that calls for full card numbers, pulling the entire network into scope.
Finally, Financial institutions should consider file integrity monitoring (FIM), which is called for under PCI requirement 10.2.7. Entities must log the creation and deletion of system-level objects. Many rely on Windows to audit system-level events, which can create performance issues. Leveraging commercial FIM can reduce these performance issues and streamline this process.
Already, the PCI Security Standards Council (SSC) has launched development efforts around version 4.0, which is slated to be released near the end of 2020. According to the PCI website, this version of the standard has four primary goals:
Industry feedback continues to be a primary driver of new versions of the PCI DSS. There was a 2017 request for comments (RFC) period that garnered input from global PCI SSC stakeholders, including the following areas for review:
The RFC period for PCI DSS 4.0 should draw to a close in November of this year, making a late 2020 release feasible. That said, the 12 core PCI DSS requirements will remain intact as the foundation for security around payment card data. Version 4.0 will serve as an evolution of the standard to accommodate the rapidly changing technology landscape.
Overall, the new PCI DSS looks to be headed in a less prescriptive and more fluid direction. Each of the four areas of focus seem to signal a potential shift towards more pluggable adoption of standards that provide guidance but allow for flexible adoption of technology solutions that are fluid, agile and don’t necessarily need to fall into a checked control box.
This should enable financial institutions (and any other entities that accept digital payments) some freedom to leverage advanced technologies while still ensuring that cardholder data is protected against internal and external threats. As the payments landscape becomes increasingly competitive and as emerging technologies blur the lines when it comes to compliance, financial institutions need to take care that they are not only remaining compliant but taking necessary measures to protect cardholder data at every angle. Working with a trusted partner that can successfully navigate this sometimes confusing landscape can ensure that data remains safe without sacrificing the competitive edge needed to survive.