I’ll cut to the chase – no, PCI enforcement is not over yet, sorry if I got your hopes up! The latest PCI Community Meetings truly show just how much PCI itself has matured and changed. When PCI first started, it was one single standard, PCI DSS, which was strictly focused on network related security in order to protect Cardholder Data (CHD). Today, there are 15 unique standards that have been developed, including covering hardware, software, encryption, mobile payments, forensics, and more. And while it may currently be focused on protecting CHD, it has been applied to protect many other types of sensitive data and even may expand its scope over time of the data it intends to protect.
To focus on PCI DSS, the new 4.0 standard has 53 new requirements (and 360 pages!). That is quite a few, but unlike early versions, not all are fully required to be in place for an organization upon the next validation. Instead, some are required to be in place, while others are best practices until later dates, as far out as 2025. Among the 53 requirements, four of the top categories of changes worth highlighting are in the following areas:
- Encryption Applicability
- Testing Frequency
The details on these changes should be directly reviewed in the standard itself, and preferably with a QSA (Qualified Security Assessor). Three of CyberRes product lines cover those top 4 areas, NetIQ supports Authentication, Voltage supports Encryption and ArcSight supports Monitoring. Fortify covers application security needs within PCI and is aligned to support the needs of the new application standard, SSF (Software Security Framework). Voltage also supports the encryption standard, P2PE (Point-to-Point Encryption) standard that has been used by merchants and solution providers to reduce the scope of a standard PCI DSS assessment.
Regardless of the specific new requirements, the most interesting thing about the 4.0 standard is the flexibility. What is now called the “Defined approach” is the traditional approach to validation that version 3.2 and before used. All requirements still have a definition to follow to meet the control objectives. However, there is also a new “Customized approach” that allows more mature organizations, typically those that have a good grasp on organizational risk, to customize and specifically define any given control. Many organizations may stick with the Defined approach, but for those who have the need, they can also use the Customized approach for any specific controls they want. It is flexible enough to allow for mix and match, any control can go with either approach. And, for those that still need compensating controls, those are still allowed within the Defined approach as well.
One last thing worth mentioning is the new expansion of the PO (Participating Organization) structure. Through the end of the year, there is only the current level of being a PO, and all of those PO’s will become an “Associate PO” at the start of 2023, the middle tier. Above that will be the “Principle PO” that comes with additional engagement opportunities and the ability to vote and influence the PCI SSC even more than an Associate PO. And to be all inclusive, they will also provide an “Individual PO” option so that everyone can have a voice, and have easy access to all the resources.
To sum up, PCI is more mature and relevant than in the past, and the flexibility of PCI DSS 4.0 brings additional options for anyone impacted by the standard. With the maturity and flexibility, you don’t need to freak out, but you do need to pay attention and be prepared. And the four pillars of CyberRes; Voltage, Net IQ, Fortify and ArcSight each can help any organization meet and satisfy the different aspects of the new PCI 4.0 Data Security Standard, old and new! Used wisely, CyberRes can even reduce the scope of PCI DSS 4.0 and help prevent some of the most common data breach threats.