The PCI Security Standards Council announced plans for a fourth major version of the Payment Card Industry Data Security Standards (PCI DSS), which is expected to be released during late 2020. This next version is being developed with the goal to improve standards surrounding the safeguarding of payment card data throughout the payment process. We take a look at what to anticipate from PCI DSS version 4.0 from what we know so far.
What is PCI DSS?
PCI DSS is the minimum security requirement that needs to be followed by businesses of any size if they accept payments by card. Accepting card payments involves cardholder data being stored, processed and transmitted by your company, and using a PCI DSS compliant system ensures that this data is handled securely. The regulations are in place to help protect customer data, as well as prevent fraud, cyberattacks and data breaches.
Why is a PCI DSS Update Needed?
The last big update to PCI DSS was in 2016 when version 3.2 was released. Since then, there was a minor update with version 3.2.1 in 2018. Although this was only a year ago, technology is constantly evolving, and the way card payments can be accepted and processed has developed rapidly. With many different channels now available through which card payments can be processed, it is increasingly difficult to ensure that every method is fully secure. These new payment methods include merchants using mobile phones and tablets as contactless payment processing devices, which can pose a security risk if not properly regulated.
Other evolving technologies include the increase in people using cloud storage, new payment software and third-party applications for processing payments.
Along with developments in card payment systems also comes advancements in cyberattack capabilities, with new threats presenting themselves daily. PCI DSS 4.0 is needed to help ensure that data security remains strong and unbreached, even when the payment industry is seeing big shifts.
PCI DSS 4.0 Will Utilise Industry Feedback
Although PCI DSS 4.0 is expected to be released during 2020, planning and developing the new set of regulations has been underway for a few years. In 2017, a request for comments period saw global PCI Security Standards Council stakeholders input their ideas and feedback. This allowed people working within the regulations to have a say in what would further improve PCI DSS.
As part of this feedback, several key areas of improvement were highlighted for review, including:
- Updating validation methods that can be used.
- Ensuring data security is seen as a continuous process.
- More flexibility and support for new technologies and methodologies used to gain security.
What Can We Expect From PCI DSS 4.0?
It is unlikely that PCI DSS 4.0 will see fundamental changes to that outlined in version 3.2. Instead, we expect to see the current requirements slightly updated and accompanied by new additions to the regulations. It is anticipated that the following areas will see updates:
Authentication
In 2017, the National Institute of Standards and Technology (NIST) made updates to their password guidelines, advising on password security and complexity. For example, passwords must be a minimum of eight characters and are recommended to be a long passphrase rather than random characters. As well as this, many passwords and security checks now use multi-factor authentication, needing a biometric input, physical card or keypad code for example, alongside a password. With these new changes in authentication processes, the regulations regarding authentication for card payments and data security will need to be updated in PCI DSS 4.0.
Encryption
It is also anticipated that encryption will be another key area receiving updates as part of PCI DSS version 4.0. With more networks now available for data storage use, broader requirements will be required for ensuring cardholder data is securely encrypted on trusted networks.
Monitoring
Under the current PCI DSS regulations, businesses will undergo quarterly network scans, vulnerability scans and self-assessments to determine how secure their cardholder data is. With advances in technology, such as endpoint detection tools, it will now be easier to monitor threats to data. Endpoint detection tools help to protect computer hardware devices from potential threats by detecting any malicious activity. Updates to PCI DSS 4.0 are likely to reflect this.
Testing
Currently, some businesses are required to have a Designated Entities Supplemental Validation (DESV). PCI DSS regulations should be continuously enforced to comply. However, many businesses were found to only put their PCI DSS compliant processes into place for the assessments, having lapses in security between these assessment times. The DESV is a supplementary set of regulations that were brought in for some companies to ensure that the PCI DSS regulations were being maintained continuously. It is believed that as part of PCI DSS 4.0, aspects of the DESV will become a regular PCI DSS requirement for all.
If you would like to know more about the current PCI DSS regulations, then check out our introductory guide to PCI DSS compliance. Here at Hostcomm, we have PCI DSS compliant security across all of our solutions, allowing your company to meet the standards required. By choosing a Hostcomm solution, there are far fewer PCI DSS compliance obligations for you to worry about, as any payments made and data stored using our systems is covered.
