27 May 2021
Flashback, February 2016: The PCI Security Standards Council issued this statement in relation to the continuous development of the PCI DSS- one of the leading global cyber security standards: “The payments industry recognizes PCI DSS as a mature standard(…). Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard”.
Back to 2020- It seems like so much has happened in technology and cyber security since the statement above was released. In fact, so much did happen, as the PCI DSS is now facing more than just a few modifications, but a significant update to align with recent trends and changes. Version 4.0 due to be released in mid-2021, will present considerable changes, signifying the change of approach for security in many domains, especially within the payment industry that is always full of innovation and technology advancements.
This is another example that from the perspective of cyber security, anything can happen in a very short time frame and even when things seem static, stable or “mature” — under the surface there may be strong currents of change and development that can burst out suddenly and cause tectonic shifts – we should always be ready for them and tap into those subterranean movements to understand how they will shape the future.
Indeed, since the PCI SSC issued the statement above technology has evolved dramatically and even revolutionised itself, especially in product and application environments. Containers, serverless functions, new ways for delivering software and applications, and a whole new approach for protecting applications and product environments continuously, DevSecOps, are just some of the changes in the last few years. And maybe above all, the ever-accelerating massive transition to the “Cloud”.
With PCI DSS v4.0 fast approaching, two questions come to the forefront: what are the main challenges in modernising the standard? and how would we expect the PCI security standards to address evolving technology and security changes?
With the above principles in mind, the PCI DSS (and this applies to any major security standard) will be able to stay relevant in today’s security industry challenges like the transition to cloud, new software delivery processes and the dynamic and the continuous nature of data protection.