My PCI DSS v4.0 Wishlist

Flashback, February 2016: The PCI Security Standards Council issued this statement in relation to the continuous development of the PCI DSS- one of the leading global cyber security standards: “The payments industry recognizes PCI DSS as a mature standard(…). Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard”.

Back to 2020- It seems like so much has happened in technology and cyber security since the statement above was released. In fact, so much did happen, as the PCI DSS is now facing more than just a few modifications, but a significant update to align with recent trends and changes. Version 4.0 due to be released in mid-2021, will present considerable changes, signifying the change of approach for security in many domains, especially within the payment industry that is always full of innovation and technology advancements.

This is another example that from the perspective of cyber security, anything can happen in a very short time frame and even when things seem static, stable or “mature” — under the surface there may be strong currents of change and development that can burst out suddenly and cause tectonic shifts – we should always be ready for them and tap into those subterranean movements to understand how they will shape the future.

Indeed, since the PCI SSC issued the statement above technology has evolved dramatically and even revolutionised itself, especially in product and application environments. Containers, serverless functions, new ways for delivering software and applications, and a whole new approach for protecting applications and product environments continuously, DevSecOps, are just some of the changes in the last few years. And maybe above all, the ever-accelerating massive transition to the “Cloud”.

With PCI DSS v4.0 fast approaching, two questions come to the forefront: what are the main challenges in modernising the standard? and how would we expect the PCI security standards to address evolving technology and security changes?

1. Addressing modern environments – Better alignment with cloud architecture and with modern product environments and development practices. For example, by addressing and including specific requirements and guidance around DevOps processes, Continuous Integration, Continuous Delivery (CI/CD) and Continuous Deployment methods.
2. Better alignment with industry security standards and frameworks – Security standards are widely adopted by businesses today. These include ISO 27001, NIST CSF, CIS 20 and even more specific ones such as ISO 27017 for cloud security. Security is highly regulated and audited today, it is difficult to maintain compliance with one standard, much less with multiple security standards and frameworks at the same time. PCI DSS must have the ability to “communicate”, rely on, and map to additional industry standards, so that compliance is a simpler task and businesses can focus on the security controls and objectives, rather than audits and submissions.
3. Increased flexibility – In the early days of PCI DSS, security solutions and controls were a simpler matter. The mix that existed included Firewall, IPS/IDS, antivirus, audit trails, penetration testing, policies – and you had your security programme. Today, with the abundance of security solutions, techniques and tools in the market, managed services and not to mention the less traditional corporate environment and new perimeter – there are many more ways to reach the desired security outcome or objectives. The PCI DSS should incorporate greater flexibility, be less specific and encourage multiple ways to reach the intended goals.
4. Security as a continuous process – As already mentioned in relation to modernising the standards when dealing with DevOps and CI/CD methods and tools, now more than ever security should be a continuous process, and security compliance should be achieved and validated continuously using dedicated auditing, reporting and monitoring methods, and not just during annual assessments or by external auditors. Changes are much more frequent and the dynamic nature of the technology environment requires continuous validation, scope and impact assessment.

With the above principles in mind, the PCI DSS (and this applies to any major security standard) will be able to stay relevant in today’s security industry challenges like the transition to cloud, new software delivery processes and the dynamic and the continuous nature of data protection.