PCI v4 and a Customized Approach

September 20, 2019 | Posted in GRC by Carl Angeloff

 

TL,DR;

  • PCI v4 was previewed for the first-time during Day 1 of the PCI Community Meeting
  • PCI v4 has significant changes and introduces a “Customized Approach” to achieve PCI compliance
  • Organizations can continue to achieve PCI compliance through traditional audit methods which will be referred to as the “Defined Approach” going forward
  • In my view, the Customized Approach is a response by the PCI Council to allow a risk-based approach the community has been asking for without the ‘risk’ terminology
  • Redlines from PCI v3 to v4 will not be provided – this is a complete re-write of the PCI DSS
  • I’m providing an overview of Customized v. Defined and general implications for most organizations

Another year in the books at the annual PCI Community Meeting which took place in the beautiful city of Vancouver.  Compared to the past couple years we had more exciting news come out of the conference, most notably the sneak preview of PCI v4 that everyone has been highly anticipating.  Based off what was presented at the Community Meeting PCI v4 introduces significant updates to the PCI Data Security Standards and will allow organizations more flexibility to achieve PCI compliance.  I think this is a result of the ever-changing risk landscape we see across the cybersecurity industry, as well as accepting that most organizations are already going down the path of taking a ‘risk based’ approach.

 

So, what exactly is the Customized Approach?

In the PCI Council’s words:

Slide from PCI Community Meeting 2019 – Defined vs. Customized Approach
Slide from PCI Community Meeting 2019 – Defined vs. Customized Approach

They key word to focus in on here is “intent.” Essentially if your organization can demonstrate a defense-in-depth strategy you will be eligible to justify why your organization is meeting the intent of any given PCI Requirement even if you can’t prove you are meeting the PCI Requirement word for word.  A great example is password changes.  There is a lot of literature on why changing passwords on a frequent basis has become a legacy way of securing authentication methods.  Multi-factor authentication, strong passwords, and privilege access management concepts all reduce the need to change passwords every 90 days. Frequent password changes are not only a major inconvenience for end users but with modern controls in place, frequent changes are less effective for risk mitigation than they used to be.

 

How can we expect to validate against the Customized Approach?

Again, in the PCI Council’s own words:

Slide from PCI Community Meeting 2019 - Validating the Customized Approach
Slide from PCI Community Meeting 2019 – Validating the Customized Approach

Essentially a lot of supporting documentation similar to what we have been creating for Compensating Controls to date.  Oh, and a word on Compensating Controls – the PCI Council did not say with 100% certainty, but alluded to the fact (and I expect this to be the final decision) that Compensating Controls with disappear entirely from the reporting templates.  This is no surprise as Compensating Controls have always been confusing and, in many instances, much harder to implement than the actual PCI Requirement itself.  Now with a Customized Approach the Compensating Control philosophy can be addressed on a per Requirement basis and move away from “above and beyond” to “meeting the intent” of the PCI Requirement.

Some other information bits we got:

  • More accurate Requirement titles and concepts reflecting today’s landscape will be incorporated
  • Expanded requirements focused on modern technologies and risks such as cloud security phishing.
  • Additional guidance will be provided alongside each PCI Requirement to help organizations better understand the intent of any given PCI Requirement
  • PCI Requirements that are focused as outcome-based statements vs. reading like an audit control

 

So, what happens next?

We will see a draft version of the PCI v4 sometime in October and it will be open for Request for Comments (RFC).  We will see an additional RFC in Q2 2020.  It’s hard to say when PCI v4 will actually be required of organizations but there will most certainly be a grace period and based on the history of past major version releases I would say we have ~2 year runway to allow organizations to understand the impact of the changes and address any applicable risks.

Thanks to everyone who attended my talk on Day 2 which I co-presented with Chubb Insurance on building a Global PCI Program.  It’s always a pleasure seeing old faces and meeting new ones.

If you have any questions or would like to discuss your PCI Program, PCI Scope Reduction, or potential impact of PCI v4 to your organization reach out to me at carl.angeloff@securityriskadvisors.com. Thanks!