The Payment Card Industry Data Security Standard (PCI DSS) has always been considered one of the most prescriptive industry mandates around. And well might it be, given what’s at stake. As breach volumes surge and threat actors find it ever easier to bypass traditional cyber-defenses, the card industry must ensure that complying organizations are doing their utmost to keep cardholder data secure.
Yet there have always been nuances to the standard. And in the most recent version, which will come into force fully on March 31, even more flexibility will be introduced.
PCI DSS 4.0 is a major new version of the standard which introduces over 60 new technical controls, including new rules around data protection. Yet some organizations will find that they’re unable to meet some of the 300+ controls, for legitimate business or technical reasons. This is why the standard allows for “compensating controls.” Compensating controls are not the ideal solution for PCI DSS, as they act as temporary workarounds for unmet requirements. Relying on them can lead to increased long-term complexity, higher costs, and greater risk compared to implementing the standard controls from the outset.
If the organization can prove that an alternative control can mitigate risk as or more effectively than the original mandated control, then it will be deemed sufficient for compliance purposes.
But there’s more. While using compensating controls was also possible in prior versions, PCI DSS 4.0 introduces a new concept to the standard: that of a “customized approach.” This is for organizations that don’t have a constraint that forces them to meet a requirement differently, but instead proactively choose to go down an alternative route. It was introduced after feedback from enterprises that wanted greater flexibility to use innovative technologies to achieve security objectives.
It supports the PCI Security Standards Council (SSC)’s vision for the standard, as empowering organizations to prioritize security controls based on their own risk profile and immediate threat landscape. In this way, enterprises are encouraged to address their most relevant risks rather than be forced to comply with a rigid set of measures.
However, the PCI SSC notes: “The customized approach is most successful when the entity has robust security processes and strong risk management practices and is able to effectively design, document, test, and maintain security controls to meet that objective.”
Tokenization is widely recognized as a best practice for achieving PCI compliance and it offers significant benefits for organizations handling cardholder data. It replaces sensitive data elements like primary account numbers (PANs) with unique tokens across the Cardholder Data Environment (CDE). These “protected tokens” are useless if accessed by threat actors, dramatically reducing an organization’s breach risk exposure. As a result, they’re considered outside the scope of PCI DSS, thereby reducing the cost, time and resources needed to comply. That is why in many organizations tokenization is built directly into the payment architecture to replace full PANs in day-to-day operations, reduce the scope and meet PCI DSS requirements in a straightforward, “standard” manner.
In our next blog post, we’ll explore why implementing tokenization as a standard data protection measure for PCI DSS is a smart long-term investment.
The great news is that comforte’s SecurDPS solution offers tokenization as a data protection option, to support organizations looking to adopt compensating controls and/or a customized approach.
It’s designed to:
Not only does SecurDPS offer tokenization. Its data discovery function also plays an important role for organizations looking to implement compensating controls/customized approaches—as they must first identify where sensitive data resides across the enterprise before protecting it. It all adds up to simpler, less operationally draining, and potentially more cost effective, PCI DSS 4.0 compliance.