Envisioning PCI DSS 4.0 and beyond

The PCI Security Standards Council (PCI SSC) hosted its annual Global Community Forum (GCF), Oct. 26 to 28, 2021, a three-day event that addresses security best practices, emerging threats and pandemic-related challenges. Held virtually, the gathering attracted nearly 3,500 attendees who discussed information security trends and looked ahead to the next iteration of the Payment Card Industry Data Security Standard (PCI DSS), PCI DSS 4.0.

GCF agenda highlights included presentations by Lance J. Johnson, executive director and Lauren Holloway, director of data security standards at the PCI SSC and a keynote address by J.R. Martinez, best-selling author, motivational speaker and wounded U.S. Army veteran.

In opening remarks, Troy Leach, senior vice president, market intelligence and stakeholder engagement at the PCI SSC, commended attendees for ongoing efforts to educate leaders, colleagues and customers on potential risks and adjustments needed to protect sensitive data.

"While we miss opportunities to catch up in person, we've done a good job of staying connected as a community," Leach said. "And we're here to celebrate these connections as we actively engage throughout video presentations by industry experts."

Protecting the payments ecosystem

In a post-conference interview with The Green Sheet, Leach pointed out that the PCI DSS is constantly evolving in response to changing industry trends. Remote assessments, for example, were initially implemented as a stopgap measure during the pandemic but were found to be secure and beneficial and are gaining popularity among security professionals.

"Several years ago, I showed a compass in one of my presentations to demonstrate that PCI is a journey and we want that compass to always be heading north," Leach said. "At times we need to make adjustments to keep us focused on maintaining that northern direction, and we have a lot of different channels for receiving feedback, such as PCI forensic investigators, security assessors and fintechs who are rethinking payment protection and authentication."

Citing three priorities for protecting the payments ecosystem, Leach stated the first thing is being diligent when working in remote environments, the second is staying up to date, and the third is having a clear understanding of the role of third parties in a card data environment and how those third parties potentially influence security.

"Several of our special interest groups have focused on cloud security, and as we lean into these services, we need to understand who owns the risk and how does the environment get isolated and protected from other parties in the same environment?" Leach said, noting that there is a commonality between PCI requirements and other flexible software security frameworks. "I see that as one of our flagship standards going forward because whatever aspect of the payment transaction you're talking about, there's software involved."

Flexible standards, roadmap

Leach further noted that the payment data security standard will not be fully enacted until the first quarter of 2025, giving stakeholders a long runway to implement new requirements after multiple request for comment (RFC) periods. Participating Organizations, Qualified Security Assessors and Approved Scanning Vendors will preview PCI DSS 4.0 in January 2022, followed by public release of the standard in March 2022, he added.

Following are additional conference highlights:

• Global pandemic challenges: In addition to expanding its online training courses, the council published guidelines for performing remote assessments and a training course on working from home basics. Additional information is available at www.pcisecuritystandards.org/documents/PCI-SSC-Remote-Assessment-Guidelines-Procedures-v1_0.pdf and www.pcisecuritystandards.org/program_training_and_qualification/work_from_home_security_awareness.

• Evolving mobile standards: Seeing the need to support future mobile payment schemes, the council is updating existing Software-based PIN Entry on COTS (SPoC) and Contactless Payments on COTS (CPoC) standards and plans to introduce a flexible mobile standard that supports a wide range of payment acceptance channels, verification methods, and payment solution development. Read more at blog.pcisecuritystandards.org/the-future-of-pci-ssc-mobile-standards.

• Software standards education: To assist stakeholders as they migrate from PA-DSS to the Software Security Framework (SSF), the council published guidance on the conceptual differences between SSF and PA-DSS. The downloadable guide is available at blog.pcisecuritystandards.org/part-one-conceptual-differences-between-ssf-and-pa-dss.

• Request for comments periods: The council invites PCI SSC stakeholders to provide feedback on existing and new PCI Security standards and programs in upcoming and current RFC sessions. For more information, visit the RFC page at www.pcisecuritystandards.org/get_involved/request_for_comments.

"This week was a great example that no one person has all the answers," Leach said. "Just being able to come together as a global community and have conversations, that we wish had been in person, but even video chats and networking enabled people with different backgrounds to share their experiences."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.