The requirements to meet to ensure that you and your clients comply with the Payment Card Industry Data Security Standard (PCI DSS) have been the same for the past five years – but that’s about to change.
Fred Clayton, Manager of Information Security and Compliance for First American Payment Systems, explains that after a few rounds of comments from the industry, the Payment Card Industry Security Standards Council (PCI SSC) has begun work on PCI DSS 4.0. The new standards are expected to be published in mid-2021 and will replace v. 3.2.1 in 2024.
Professionals working in payment security are anxious for the update but complying with new requirements may cause some challenges. Clayton explains, “Many security controls from 3.2.1 will be enhanced to meet newer security control requirements. For many businesses, it will be a shock to comply with v. 4.0 since they may be several security platforms or technologies behind.”
According to the PCI Security Standards Council the timeline from when PCI DSS 4.0 is completed in mid-2021 until it goes into effect in early 2024 provides time to roadmap your organization into a compliance posture. “It may take at least that long to move customers from one platform to another or to update your technology,” Clayton says.
How PCI DSS Will Change with v. 4.0
Clayton says one of the biggest changes in PCI DSS 4.0 is moving from the strict adherence to the 12 security requirements of 3.2.1 to 4.0 that provides greater flexibility in achieving security compliance. “With 4.0, the foundational 12 requirements remain but are enhanced however organizations can choose to build their security strategy around the traditional 12 requirements or develop their own customized controls that address the intent of the security standards,” he says. With this greater flexibility, however, businesses will have to provide proof via assessment and documentation that their solutions are effective.
Although PCI DSS 4.0 controls are not published at this time, some of the changes that are expected include:
- Security as a continuous process: PCI DSS 4.0 will likely require continuous monitoring of the payment ecosystem to identify intrusions or attacks on the system immediately and stop the theft of payment card data.
- Testing frequency: Clayton anticipates that businesses will be required to test security controls more often to ensure they are performing correctly and are effective.
- Authentication: PCI DSS 4.0 is also likely to include stricter standards for controlling who has access when a developer is building applications. If you currently don’t have a rigorous access control strategy, it’s time to implement it.
The Impact on ISVs and Software Developers
Clayton says independent software vendors (ISVs) whose solutions and apps support Europay, MasterCard, Visa (EMV), point-to-point encryption (P2PE), and tokenization are well-positioned for continued compliance when PCI DSS 4.0 is in effect. However, working with a payments partner with robust security controls may be the most expedient and cost-effective way to ensure that you and your clients comply with the balance of new standards. “It’s a good way to make sure that security on the backend is done,” Clayton comments.
He also encourages ISVs who have been considering becoming payments facilitators (PayFacs) to consider how PCI DSS 4.0 will change the landscape and the new requirements you would have to meet. “4.0 gives you greater flexibility, but it also requires stricter controls. It may be better for your company to transfer risks from your company to your payments provider partner,” he comments.
He also advises ISVs and software developers to reevaluate their own operations payment data management. “ISVs aren’t immune to PCI DSS. If you handle credit card information, you need to comply. It’s another reason to have a trusted payments provider partner,” he points out.
Add PCI DSS 4.0 to Your 2021 Roadmap
The date when PCI DSS 4.0 becomes effective in 2024 will come all too fast, so smart ISVs and software developers are beginning to prepare now. “Plan to make updates or help your clients change processes as soon as possible because the time when it will be mandatory will arrive quickly,” Clayton says.
He also advises stressing a security-first approach with your team and assessing your partnerships with payment companies. One important step to take now is asking them what their plans are to update their platforms to comply with PCI DSS 4.0.
ISVs and software developers also need to do their due diligence to research payment companies’ past security compliance. Ask to review your potential partner’s PCI Attestation of Compliance report, which will show the security controls the payments company uses. If it shows any deficiencies, ask for an explanation. You can also use the Visa Global Registry of Service Providers to see their record complying with Visa’s rules.
“It’s proof of their credibility,” says Clayton. “It will help you gauge your partner’s expertise in security.”