Few security standards have been around for quite as long as the Payment Card Industry Data Security Standard (PCI DSS). Since its inception in 2004, it has mandated a strict set of operational requirements to any organizations processing cardholder data. Failure to comply could mean big industry fines and other penalties, including possible suspension from card processing and liability for breach costs. But compliance frameworks must move with the times, and there’s been plenty of changes to cardholder data environments (CDEs) and the threat landscape over recent years.
The result is the introduction of PCI DSS 4.0, being billed as one of the biggest changes to the standard since 2004. The good news is that best-in-class data security will still form a solid foundation for compliance. The key will be finding providers that can support a continuous risk management approach.
Time for change
The PCI Security Standards Council (SSC) collected over 6000 items of feedback and consulted more than 200 organizations as part of its outreach efforts. The major updates to be found in PCI DSS 4.0 are listed here. But in general, three principles inform the new version:
- Promoting security as a continuous process
- Increasing flexibility for organizations that want to use different methods to achieve their security objectives
- Enhancing validation methods and procedures
The first is perhaps the most important. Too often, PCI DSS compliance is viewed as a point-in-time check box process. This is having a negative impact on CDE security. According to Verizon, only 27.9% of global organizations maintained full compliance with the PCI DSS in 2019—the third year in a row that compliance has declined.
The PCI SSC wanted to change that by driving a more security-by-design culture in organizations, which enables them to maintain effective and sustainable payment card data security all year round. This is a worthy aspiration, but for organizations to achieve it, they’ll not only need to change culturally, but find the right security partners.
Why data-centric security matters
A data-centric security approach is essential to drive effective PCI DSS compliance. Its key tenets of encryption and tokenization have been adopted en masse by retailers, banks and others as they look to meet the requirements of the PCI DSS. In fact, the standard stipulates that primary account numbers (PANs) are unreadable wherever they’re stored—which both encryption and tokenization can achieve.
Tokenization goes a stage further than encryption, by replacing the original number with a “surrogate” value. Using it not only reduces the attack surface for organizations, it could even take tokenized data out of scope—saving significant time and resources that would otherwise need to be spent on ensuring it met PCI DSS compliance requirements.
Yet not all data security solutions are created equal. Organizations should look for highly scalable offerings, which work across on-premises and cloud environments, and offer end-to-end capabilities: from discovery and classification to protection and monitoring. In light of PCI DSS 4.0 and the drive towards security as a continuous process, they should also be looking for data-centric security partners which provide continuous data discovery, classification, protection and monitoring. Modern IT environments are dynamic and ephemeral. Security must therefore be architected to support uninterrupted risk management, which is flexible enough to evolve as the business grows, whilst leaving no compliance gaps.
That’s the PCI DSS 4.0 vision for more secure cardholder data. And that’s why continuous data-centric security matters.
The current version, PCI DSS 3.2.1 will remain active for two years until it is retired on 31 March 2024.