Page 30 - GS191102
P. 30
CoverStory
set forth by the PCI SSC: "Increase industry participation Ruston Miles, chief strategy officer, executive vice presi-
and knowledge; evolve security standards and validation; dent and founder at Bluefin, expects these updates to help
secure emerging payment channels; and increase stan- participating service providers balance security with a
dards alignment and simplicity." For Glover, the "increase frictionless user experience.
industry participation and knowledge" pillar reflects the
PCI SSC's improved community outreach that fosters in- Miles cited two major takeaways from recent communi-
novation and global communication. His impression is ty meetings: first, P2PE is a top-of-mind topic and being
that the council is more open than ever to feedback and widely adopted at a growing pace; and second, standards
will now listen to QSA companies. "In previous years, and organizational structures are being reworked to pri-
participating organizations and QSAs have not had the oritize stakeholders and their user experience.
opportunity to provide feedback before standards were
changed," he said. "We'd see the published standard and "The P2PE Solution 3.0 standard is coming out very soon,"
try to interpret it and ask questions." Miles said. "In fact, participating organizations will be
working through the commenting and feedback phase lat-
Contactless Payments on COTS er this year. It will not change the technical requirements
New security requirements for commercial off-the- so much as it will ease implementation logistics and as-
shelf devices will enable merchants to accept contactless sessments. There are now 86 certified P2PE solutions list-
transactions without adding extra hardware. The council ed on the PCI SSC website in late 2019. That is a long way
plans to publish the new Contactless Payments on COTS from four listed P2PE solutions in early 2014."
(CPoC) standard in December 2019 and launch the PCI DSS 4.0
program in 2020.
PCI DSS v4.0 will support a range of evolving payment
John Markh, PCI SSC standards manager, said, "CPoC environments, technologies and security methods, Leach
expands our support for contactless payments with noted. Stakeholders are reviewing the draft and exchang-
a standard specifically for contactless acceptance on ing ideas, which will continue through the RFC period.
merchant COTS devices." The CPoC standard includes Stakeholder feedback and a changing payments industry
security and test requirements and guidance on will be key considerations in developing PCI DSS v4.0, he
implementation and oversight. Participating solution stated. So far, the council's vision for v4.0 appears to be
providers will be evaluated and listed in the CPoC resonating with members, who have indicated they expect
Solutions section of the PCI SSC website. its flexibility will enable organizations to maintain com-
pliance and react quickly to emerging threats.
Enhanced RFC process
The council opened its request for comments (RFC) Miles sees PCI DSS 4.0 as a significant upgrade to the stan-
for PCI DSS Version 4.0 using newly formalized RFC dard, particularly in terms of usability and user experi-
procedures created to foster stakeholder understanding ence. From his perspective, the refresh improves clarity
and participation. The Request for Comments (RFC) Process and makes the standard more easily understood and ac-
Guide details procedural changes. Also, a new section of cessible to users. "This is a necessary step in the matura-
the PCI SSC website highlights the RFC process and lists tion process of this and any standard, which will further
upcoming RFCs, including recent updates on current and promote adoption of the standard," he said.
upcoming RFCs. Flexible, customized controls
Another goal of the formal RFC procedure is to exchange Marc Punzirudu, vice president of security consulting
feedback with stakeholders, according to Lauren services at ControlScan, was impressed by the alternative
Holloway, PCI SSC director of data security standards. validation of controls in PCI 4.0, which applies to entities
She was quoted by Mark Meissner, the council's vice with established security programs. Alternative valida-
president public relations, in a February 2019 blog post tion is a test against the intent of a control and its objec-
written to offer guidance on the process. "A consistent tives, instead of a review of the standard control as writ-
documented process lets our stakeholders know what to ten, he noted.
expect and that advance knowledge should encourage
greater participation in our RFCs and provide us with Replacing compensating controls with customized re-
more feedback," Holloway said. "The intent is to turn that sponses to requirements, which the PCI SSC called a
feedback into action." "natural evolution," is expected to be valuable to mature
organizations. Customized validation enables them to
P2PE Standard and Program demonstrate how they meet PCI DSS requirements in
Due out in December 2019, the next evolution of the PCI unique ways, Punzirudu stated. "I largely see the need for
Point-to-Point Encryption (P2PE) Standard and Program compensating controls to disappear altogether as they are,
will simplify requirements and add flexibility to P2PE in essence, an objective-based control test," he said.
implementation.
30
