.svg)
VIXIO has spoken with the Payment Card Industry Security Standards Council (PCI SSC) about the key features of the fourth iteration of its data standard, which comes into effect next year.
First launched nearly two decades ago, the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used on all payment cards issued from the major international card brands.
Administered by the PCI SSC — made up of Mastercard, Visa, American Express, UnionPay, JCB International and Discover Financial Services — the standard is mandated by the card brands.
These players established the PCI SSC in September 2006 as an administrative and governing entity that mandates the development of the PCI DSS.
Now, the industry is preparing for the fourth iteration of the standards — PCI DSS v4.0 — which firms will need to be compliant with by March 2024.
Although compliance is not a regulatory matter in most jurisdictions, bar the US state of Nevada, it is monitored by the payment card brands and acquiring bank partners, so will be a necessity for the ecosystem.
“The primary goal of PCI DSS v4.0 is to ensure that the standard remains relevant to the security needs of the payments industry,” said Lauren Holloway, director of data security standards at PCI SSC.
Holloway told VIXIO that industry feedback was essential in ensuring that the standard continues to address both current and future threat landscapes.
“We conducted three requests for comments periods for our stakeholders while PCI DSS v4.0 was being developed, from which we gathered over 6,000 feedback comments,” she added. “We reviewed all those comments during the development phase to understand what updates we should make to PCI DSS and its supporting documents.”
Compensating controls v customised approach
One of the biggest changes in PCI DSS v4.0 is the approaches that can be taken by firms to ensure that they are in compliance with the industry standard.
“PCI DSS v4.0 aims to provide organisations with increased flexibility in achieving their security objectives using different methods,” she explained.
Now, PCI DSS v4.0 provides two options for entities to implement and validate PCI DSS requirements: the defined approach; and the customised approach.
The defined approach is the traditional method of implementing and validating PCI DSS controls, which entities are currently doing to meet PCI DSS v3.2.1 requirements.
“Compensating controls are an option within the defined approach for entities that have a legitimate and documented technical or business constraint that prevents them from meeting the Defined Approach Requirement as stated,” said Holloway.
For example, compensating controls are frequently used in situations where there is a legacy system or process that cannot be updated to meet the requirements.
However, a new option — the customised approach — has also been introduced to enhance flexibility for those with robust security programmes to implement other technologies or processes that may not meet a PCI DSS requirement as written, but where they can demonstrate they are meeting the requirement's stated Customised Approach Objective.
Unlike the use of compensating controls used within the defined approach, the customised approach is specifically for entities that choose to meet the requirement differently than is stated.
“In this case, the entity must meet the stated Customised Approach Objective instead of the stated requirement,” she explained.
“The customised approach is most successful when the entity has robust security processes and strong risk management practices and is able to effectively design, document, test and maintain security controls to meet the objective.”
Each entity determines how it will meet PCI DSS requirements, including whether to follow the defined approach or the customised approach.
Although the defined approach will likely suit those who are comfortable with current methods to validate their controls, the customised approach is likely to be appreciated by firms with more bandwidth for flexibility.
Digital skimming and phishing
“While there were many changes made to the standard, I can provide some examples of new requirements added aimed to address two significant threats to payment security: digital skimming and phishing,” explained Holloway.
For example, PCI DSS v4.0 includes two new e-commerce requirements that aim to help prevent and detect digital skimming attacks, which she explained are affecting many merchants.
“The first one is a new requirement for merchants to manage all payment page scripts loaded and executed in the consumer’s browser,” she said.
The second addresses the fact that many web pages are highly dynamic, with the content being frequently updated.
Web pages rely on assembling objects, including active content, from multiple internet locations. Meanwhile, the content of many web pages is defined using content management and tag management systems.
“Because of this, it may not be possible to use traditional change detection mechanisms,” she said. “Therefore, the second new e-commerce requirement requires merchants to deploy a mechanism that detects changes or indicators of malicious activity on payment pages.”
To address phishing attacks, PCI DSS v4.0 also includes two new requirements.
The first is a technical one — requiring processes and automated mechanisms to detect and protect personnel against phishing attacks.
As phishing primarily targets people's activities, the second new requirement incorporates phishing and social engineering into security awareness training.
Firms will need to be in full compliance with these standards by the end of March next year, and Holloway has recommended that to ensure a full understanding, industry players should consult the PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes.
