What to Know About PCI DSS v4.0
Part 4 of 10 in our Complete Guide to Secure Remote Access in Retail.
With the PCI DSS 4.0 release date set for late 2020, it’s time for organizations and their IT teams to get organized on what this could mean for changing security standards. To enhance ongoing security needs, PCI DSS is updated regularly with the previous update occurring in 2016 as v3.2.
If an organization manages payment card information in the retail industry, then it is required to meet the most updated version of PCI DSS. If a company is found to be non-compliant, they may face penalties that can be quite costly, and may be putting cardholder data at risk.
With that in mind, what can you expect for the upcoming version 4.0 and how can your IT team be adequately prepared for the changes, particularly as it relates to retail remote access? We’ve put together this useful guide below to help you understand what’s coming with version 4.0 and get ahead of the game with appropriate training and educational opportunities.
What is PCI Compliance?
If you work within the payment card industry, you’re likely aware of the numerous compliance standards intended to support overall security. For a quick refresh, let’s take a look at the purpose of PCI compliance.
Established in 2006 by major credit card companies, PCI (or payment card industry) standards were created to ensure that all retail operations were securely managing cardholder data (CHD), which includes cardholder name, account number on the card, expiration date, and perhaps the service code.
4 PCI DSS Levels
To help companies validate which level of compliance they need to be at, there are four PCI DSS levels:
- Level 1: Any merchant processing over 6 million transactions per year;
- Level 2: Any merchant processing 1 to 6 million transactions per year;
- Level 3: Any merchant processing 20,000 to 1 million e-commerce transactions per year;
- Level 4: Any merchant processing fewer than 20,000 e-commerce transactions per year; all other merchants processing up to 1 million transactions per year.
Each year, merchants undergo an audit to assess if they are meeting standards for security controls, processes, encryption, authentication, access management, and other guidelines, based on their level. It’s important to know which level your organization qualifies for to avoid penalties. You may assess your level of security by filling out the PCI Self-Assessment Questionnaire.
Why Are Changes Made to PCI DSS?
The threat landscape is ever-evolving. As such, it’s important that any entity involved in managing card payments and cardholder data (CHD) follow standards to ensure the responsible use of such information.
One of the biggest factors in updating PCI DSS standards is changing technology. Cybercriminals are extremely skilled at adapting to new software and technology to access information, even on networks that are supposed to be secured. As time passes and cybercriminals gain a better understanding of new software or devices, they become an increasing threat. Updating to PCI DSS 4.0 seeks to mitigate potential problems associated with the changing technological landscape.
For PCI DSS version 4.0, cloud computing is a major factor. Cloud computing has become one of the major cybersecurity trends, with organizations turning to the cloud to help them manage data–but that can also present an entirely new attack surface for cybercriminals.
Additionally, as more organizations rely on support from vendors (3rd parties), it’s important those vendors are accounted for in PCI standards. Numerous data breaches and other malware attacks have occurred as a result of poor vendor security. Ensuring that every entity involved in managing data is secure and compliant can help to prevent cyberattacks.
How Are Changes to PCI DSS Decided Upon?
The process for making changes to the PCI DSS is lengthy and requires careful consideration. In preparation for the PCI DSS 4.0 update, the PCI SSC (PCI Security Standards Council) opens up a request-for-comment (RFC) period to stakeholders. During this 6-week period, stakeholders can submit feedback to help the SSC make appropriate changes.
For the first time since the PCI DSS was implemented, the SSC released an initial draft for stakeholders to review. Based on their feedback, the draft would be revised to reflect the most important changes for PCI DSS v4.0.
So, who are the stakeholders that contribute to PCI feedback? They may include:
- Participating organizations (POs)
- Qualified Security Assessors (QSAs)
- Approved Scanning Vendors (SAVs)
- Subject Matter Experts (SMEs)
- PCI Board of Advisors
- PCI labs
- PCI vendors
The ultimate goal for the revision process is to foster collaboration between stakeholders to make sure that the PCI DSS 4.0 update truly serves and protects both the cardholders and those who manage their data.
4 Goals for PCI DSS Version 4.0
While the 12 core requirements for PCI DSS are going relatively unchanged with the update for PCI DSS v4.0, there is a set of 4 main changes that are expected. The overall goal of the update is to link the 12 requirements to specific security outcomes to improve the management of data. The following high-level goals are expected to come out of version 4.0:
1. Address Ongoing Changes in Threat Landscape
Since cyberthreats are always evolving, one of the main goals of the PCI DSS 4.0 is to mitigate cyberthreats, particularly as technology changes and mobile devices are used more frequently. Some of the areas that may see adjustments are:
- Authentication practices
- Address phishing and social engineering
- More comprehensive standards to address the increased use of cloud computing
- Better encryption for cardholder data
2. Create Flexibility Around How Organizations Achieve Security Outcomes
To better accommodate different methods of PCI DSS validation used by organizations, PCI DSS 4.0 is expected to include allowances for more customized validation methods. Previously, requirements were to be met in a very specific manner and checked off, regardless of what the outcome was.
With the upcoming changes, validation methods will be more focused on specific outcomes. This will give organizations the ability to prove their methods are effective as long as they meet security outcomes.
3. Promote Security as Ongoing Process
Unfortunately, security never ends. Organizations must be vigilant in following compliance standards while properly preparing.
While the upcoming PCI DSS v4.0 updates aren’t completely clear on how this will look, it seems that there will be more focus on making security the foundation of all operations, not just an afterthought.
This could mean more training at all levels of the organization, and in particular, end-users who may not be aware of potential cyberthreats.
4. Enhance Validation Methods and Procedures
Improving validation practices is key to protecting data. All too often cybercriminals are able to access networks with poor authentication or access controls. The PCI DSS 4.0 aims to enhance these practices to offer more security.
Practices like password change frequency are being evaluated to see what’s most effective. Currently, standards require a password change every 90 days, but guidance from the National Institute of Standards and Technology (NIST) shows that longer passwords, changed less frequently, may actually be more effective.
Organizations could also see changes to multi-factor authentication (MFA) requirements that cover any account with access to CHD.
Equip Your Team for PCI DSS v. 4.0
If you work in IT, particularly as an IT manager in the retail industry, and are responsible for securing your organization’s network, or you are a vendor providing IT services, it’s crucial that you are aware of PCI DSS compliance standards. This is even more important if you maintain a service level agreement (SLA) that lays out the expectations between stakeholders, which often include security standards.
So, how can you prepare for the upcoming PCI DSS 4.0 update? Here are some simple, quick steps to keep your network and data secure, and make sure your team is properly trained for the future:
- Only partner with vendors who maintain PCI DSS compliance and receive annual audits
- Procure devices that meet PCI validation requirements
- Implement remote access tools that give your 256-bit AE encryption, which is best or data moving over an internet connection or vast network
- Train IT staff and entire organization on creating strong passwords that meet PCI DSS requirements
- Place granular controls on user access to ensure that only the right users are gaining access to specific parts of your network
- IT managers may consider PCI Professional Training for IT managers (PCIP), which offers a deep knowledge of the PCI standards and how to apply requirements to your organization and responsibilities
Meet Changing Compliance Standards with Netop
One of the best ways to ensure your organization remains compliant with PCI DSS v4.0 and beyond, is to use remote control solutions that go beyond the baseline compliance. Netop Remote Control is the go-to remote access tool for global retailers because of the focus on remote access compliance and POS security that exceed basic PCI standards.
Even better, Netop grows with your network. No matter how much your business scales, or what regulations change, Netop will make sure that every layer of your network is secure, giving you the utmost in encryption, authentication, access management, and of course, compliance. And if you’re wondering what GDPR compliance is, or how we accommodate HIPPA and CCPA standards, then get a free trial and we’ll show you just how powerful Netop is!
Sam Heiney is the Product Manager for Netop Remote Control.