- September 30, 2020
- Posted by: Hashim Shaikh
- Category: Cybersecurity
The novel release of the PCI DSS version 4.0 has been much talked about. While security issues have come to the limelight in 2020 with a massive reliance on digitization, the PCI Security Standards Council has made several revelations about what changes are to be expected. The PCI DSS 4.0 addresses some issues that were encountered as limitations in the previous iterations.
Firstly, the thought was to optimize the standards keeping in mind the requirements of the payment industry. Some additional methodologies have been integrated to facilitate support and flexibility for the security system. The version promotes security as a continuous process rather than a periodic phenomenon. Caution has also been exerted to enhance the validation methods and procedures for better outcomes.
How will these changes impact the current state?
With set objectives in mind, four basic areas have been focused on for this iteration of the PCI DSS standard. Specific outcomes are expected in each of these domains.
- Optimizing a standard that meets the security needs of the Payments Industry
The basic threats in security systems are encountered owing to the changing technology. The existing systems are often unable to adapt to the threat actors that make use of the changed interface to attack the system. Thus, the new DSS standard iteration focuses on accommodating some integral factors in order to make the setup more relevant and compatible to current systems. This includes, scoping, protection of cardholder data transmissions, anti-phishing and social engineering, risk assessments, authentication and relevant cloud considerations.
- Endowing a Continuous Security Process
The PCI DSS requirements have always been aimed at inculcating the best security practices for organizations. The goal has been focused more on implementing a security mechanism that is reliable for a longer period of time. This is why the standard has shifted to endowing a continuous security process rather than an annual assessment or a periodic one. There are more guidance points which speak about the transition to a business-as-usual- security process that is continuous and is likely to be validated over a period of time.
- Enhanced Validation Methods and Procedures
The PCI Council is also actively trying to collect feedback from participating organizations on ways that they can improve the method and procedures of validation. Though all aspects of this addition have not been made clear yet, it is known that some relevant content is likely to be incorporated. The SAQ and AOC process will be examined for enhancement. There are hints of the new Customized Approach methods to be applicable for the SAQ validation methods.
- Support and flexibility methodologies for added security
As the final measure, the Council aims at introducing flexibility for merchants from a security aspect. There are often questions to whether the same security objectives can be met in different ways for system accommodation. This is what is trying to be facilitated in the current iteration. The new version aims at solving this issue by implementing the concept of validation of security control using a Customized Approach. This is to ensure that multiple approaches can be utilized to achieve a valid strategy of compliance.
The updated PCI DSS V4.0 – What to expect from the change?
All said and done, the question remains whether or not updating to PCI DSS v4.0 a good idea for change? Well, it can be said that it is a good way to fulfill all security requirements while staying tighter with the concept of compliance.
Is it the absolute ultimate version? It is obvious that all security standards are subject to change. There are growing requirements and improvements in technologies that need to be accommodated periodically. The current iteration is an attempt aimed at achieving exactly that for the present changes. Thus, the PCI DSS v4.0 is a step towards eliminating bad actors and solidifying the basic defense strategy for an optimized security.