In June 2021, the Payment Card Industry Security Standards Council (PCI SSC) announced that it was targeting Q1 2022 for the release of v4.0 of its Data Security Standard (DSS). Any company that accepts payments from Visa, Mastercard, American Express, Discover, JCB International, or UnionPay will need to comply with the standard for securing their customers' card data. Therefore, there's a lot of interest in what might end up in the new version.
While details of the upcoming standard have yet to be released, white-label payment processor E-Complish identified "promoting security as a continuous process" as one of the most highly anticipated changes.
Continuous Security in PCI DSS v4.0?
E-Complish wasn't the only one to anticipate this change. Technology risk professional Gaurav Deep Singh Johar, who's a member of the Emerging Trends Working Group at IT governance association ISACA, has been keeping track of what to expect in PCI DSS v4.0. Considering thousands of comments and pieces of feedback sent to PCI, he, too, predicts a trend of moving away from time-based audits to embrace continuous security auditing and reporting.
"The standard might allow organizations to utilize existing metrics that they are tracking to report on security thresholds," he explains. "Many organizations are already compliant to existing versions of security standards, such as PCI DSS, SOC2, ISO27001, etc., and theoretically, organizations could reuse their existing compliance data to support some of their certification requirements under the new PCI DSS standard."
These trends reflect the extent to which things have changed since PCI last updated its standard back in 2018, Johar says. Many organizations have moved some of their data and apps to the cloud since then, and with digital transformation being a big area of focus in the aftermath of COVID-19, the standards body could be preparing to account for this change.
"The standard needs to meet more than what it used to," Johar points out. "This is true not only across data center environments local to organizations, but also for cloud-based services and serverless computing environments, etc. Today's controls need to meet today's requirements. They need to be more flexible and do it differently."
How to Start Continuous Security with Today's PCI DSS
PCI DSS v4.0 will carry its own guidance for how to pursue continuous compliance once it's released. But organizations don't need to wait until then to begin the process.
ISACA global mentor Chetan Anand, who's also associate vice president of information security and CISO at fintech company Profinch Solutions, explains that continuous compliance starts with setting a solid foundation.
"First and foremost, one must develop and maintain a sustainable security program. This requires understanding that the purpose of the PCI DSS is to protect cardholder data from damages resulting from the theft or improper disclosure of cardholder data," he says. "This includes everyone in the payment chain: merchants, service providers, acquirers, issuers, the payment brands, and consumers."
Another key for organizations to be successful in implementing a continuous PCI DSS compliance program: leadership buy-in, Anand adds.
"Having sufficient resources, including the necessary budget, people resources, tools, training, and awareness that drives competence, are key considerations for a successful program," he says.
Once they have that program in place, organizations can focus their efforts on establishing and implementing policies, processes, procedures, and controls. These include using metrics to monitor the implementation of those controls in the cloud.
"An effective way to achieve continuous compliance is through cloud-based security hygiene tools that monitor the compliance of security controls against a known baseline or template," notes Neil Lappage, security adviser and virtual CISO for cybersecurity services firm ITC Secure and, like Johar, member of the ISACA Emerging Trends Working Group. "From a management perspective, real-time dashboards help to visualize PCI DSS compliance status against key performance indicators and ultimately provide assurance to stakeholders."
Organizations can then use those metrics to tailor their controls in accordance with what they've learned from previous security incidents.
Shifting to the Enterprise
With continuous security monitoring and threshold reporting, organizations can make securing the enterprise a key element of their practice going forward.
Promoting security as a continuous process ultimately supports another change that Johar anticipates.
"PCI could be expanding its scope to protecting organizations as a whole," he says. "Any security standards need to be geared toward this so that organizations can move away from just securing their payment cardholder data to protecting the enterprise at large."