New PCI v4.0 Data Security Standard Receives Praise for Flexibility

Standards are often forced upon the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s Global Data Security Standard (DSS). According to the council, in the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 pieces of feedback.

“The industry has had unprecedented visibility and impact on the development of PCI-DSS v4.0“, says Lance Johnson, Executive Director of PCI SSC. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”

“We used to think of PCI DSS as a standard that was forced upon us in a one-way fashion, and it was something that we could only passively accept,” adds Edward Mao, senior manager of the security department of the company. information and privacy governance of the Rakuten Group, an e-commerce and online retail company. “However, it is now something we are actively doing with key industry experts, creating a standard we believe in.”

Organizations will have two years to assimilate PCI DSS 4

Organizations will have two years to digest the new standard and make changes to the current standard, PCI DSS 3.21, which will be retired on March 31, 2024. Key elements of the new standard include:

  • Updated firewall terminology for network security controls to support a wider range of technologies used to meet the security objectives traditionally achieved by firewalls
  • Extension of Requirement 8 to implement multi-factor authentication (MFA) for all access to the cardholder data environment
  • Increased flexibility for organizations to demonstrate how they use different methods to achieve security goals
  • Added targeted risk analytics to give entities the flexibility to define how often they perform certain activities, based on their business needs and risk exposure

PCI DSS v4.0 designed for a zero-trust mindset

“One of the problems with developing regulations or pseudo-regulations, like PCI-DSS, is that technology changes and what was once a meaningful security control ceases to be one,” says John Bambenek , a principal threat hunter at Netenrich, an IT service and digital security operations company. “Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can perform meaningful analysis and policy on every session, so that the regulations needed to be changed.”

Alex Ondrick, director of security operations at BreachQuest, an incident response company, argued that PCI DSS v4.0 is designed for a zero-trust mindset. “This gives organizations greater flexibility to build and customize authentication solutions to suit their needs,” he said. “Perhaps the most significant addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts with access to cardholder data. While this is technically a best practice until March 31, 2024, it is a one step towards securing systems and accounts that access cardholder data.”

A personalized approach requires a mature risk assessment

While organizations can look forward to the extra leeway the new standard’s customization and flexibility provisions give them, Dan Stocker, director of Coalfire, a cybersecurity consulting services provider, cautions. “Organizations will want to carefully consider their risk management options under DSS 4.0, especially when they are on the cutting edge of technology. The personalized approach will give them great power, but will require a mature assessment of the risk of deviate from the defined approach,” he said. said. “Similarly, where requirements allow for flexible implementation, targeted risk analysis will be needed.”

“These processes are brand new to PCI and are worth looking into,” Stocker adds, “even though they may not be suitable for all organizations.”

Copyright © 2022 IDG Communications, Inc.


Source link