The PCI DSS standards outline a secure framework that organizations can implement to protect their users’ most critical and sensitive data. The PCI Security Standard released PCI DSS v4.0 in June of 2022 to address ongoing and evolving threats to payment data with new and innovative approaches to security. Organizations have two years to update from the previous version (v3.2.1).
This article covers some of the recent changes in v4.0. It takes a deep dive into the ways in which your organization can take advantage of the standard’s increased flexibility to help your organization maintain PCI compliance. Why is the newly introduced flexibility necessary? Because even though organizations face similar threats to their payment data, not every organization functions in the same way. We’ll discuss this more after reviewing the relevant changes to the standard.
What’s New in PCI DSS v4.0?
You can access a complete document containing the v4.0 PCI DSS standards and a summary of the recent changes from the PCI Security Standards document library. An “at a glance” summary document gives an executive-type overview of the changes.
The new version introduces four main categories of changes:
- Evolving Security Practices
- Considering Security as a Continuous Process
- Increasing Flexibility to Reach Compliance
- Improving Validation and Reporting Options
Let’s explore each of these in more detail.
Evolving Security Practices
As criminals and malicious actors continually improve their methods and tactics for attempting to access private financial data, security measures must also evolve and adapt. The new version of the standard updates password requirements and expands on the multi-factor authentication requirements that employees must meet in order to access these systems.
The new standards also address increasing threats to e-commerce sites (such as phishing) and how to combat them more effectively.
Considering Security as a Continuous Process
Securing your payment environments is no longer considered something you can do once and then rest. As attack vectors evolve, so must the systems under our stewardship. In the new standards, the roles responsible for each requirement are more clearly defined, with improved descriptions of how each function increases vigilance and security.
As with any business process, you succeed more as you add visibility and comprehensive reporting. The new standards also define how organizations can improve reporting on security efforts as well as how these efforts can be more transparent.
Increasing Flexibility for Organizations to Reach Compliance
Flexibility and standards aren’t typically concepts that co-exist. However, given the dynamic and continually evolving nature of systems and security, this change seems valuable and acknowledges various organizations’ challenges and capabilities. (We’ll explain this change in even more depth in the next section.)
This customized approach to PCI standards seeks to empower organizations in relation to the types of accounts and the frequency of security tasks. The new standards grant flexibility around how the PCI standards are validated, and they give some latitude toward using innovative methods to achieve security goals.
Improving Validation and Reporting Options
These changes dovetail with the two changes mentioned above: flexibility and continuous improvement. The objective is to improve the ability of an organization to correlate data between various compliance reports and surveys with the information contained in the Attestation of Compliance. By improving continuity between the data and reports, as well as enhancing transparency and the ability to better understand what they report, organizations can be more confident about their compliance and validation.
PCI Compliance Through Greater Flexibility
As the four main areas of change described above illustrate, security leaders and business owners now have greater flexibility in how they can achieve and report on PCI-DSS compliance. This gives organizations the advantage of being able to integrate their compliance using cloud technology. This approach helps streamline and correlate the security team’s efforts in managing daily compliance activities with the organizational leadership’s reporting responsibilities.
Greater flexibility sounds like a noteworthy improvement in theory, but what difference does it make in practice to PCI-DSS compliance? Let’s explore what this flexibility means, what benefits you can reap through customizing compliance frameworks, and how this can simplify PCI-DSS implementation and enforcement in the cloud.
The PCI framework outlines 12 core requirements (including a collection of controls for each one) that an organization must implement to achieve compliance. The new flexibility and customization guidelines don’t eliminate the need for these controls. Still, they offer some latitude for compliant organizations to improve how they implement some sub-controls in the face of evolving threats.
An organization that wants to implement a custom approach can do so without a business justification. The company can use a custom approach to address one or more requirements for compliance. The underlying principle here is that the process needs to meet or exceed the objectives of the original compliance control.
Depending on their location or the underlying infrastructure of their systems, some organizations may choose to implement other security frameworks in addition to PCI compliance. (We’ll discuss additional frameworks later.) Companies may select a control that satisfies the requirements for multiple frameworks, especially if that control offers more robust protections for their processes and the data for which they are responsible.
Guidelines for Using a Customized Approach
If your organization is already compliant and you would like to consider a customized approach, the following guidelines can help you make an informed decision that will ensure the safety and security of your systems.
First, ensure that you understand the framework’s requirements and objectives related to the control you would like to customize. Second, evaluate whether you are already in compliance with the requirements outlined in the PCI framework. Third, consider whether the customized control or process will adequately meet your security needs and objectives, and whether it will improve existing measures.
To validate your conclusions and ensure that you aren’t introducing any potential vulnerabilities, you might also exercise due diligence and consult with a Qualified Security Assessor (QSA) who is trained in the customized approach. A well-trained QSA can provide a different perspective and may recommend further improvements to your proposed approach.
PCI DSS and Other Cybersecurity Frameworks
As mentioned above, PCI DSS is the gold standard for organizations that manage payment data, but it is not the only security compliance framework available. CAS CCM is a cybersecurity control framework that helps secure cloud-based networks and applications. Many leading cloud providers, such as AWS, Google, Microsoft, and AliCloud have Center for Internet Security (CIS) frameworks that define best practices and guidelines to support security.
The existence of various cybersecurity frameworks reflects the fact that while there are common objectives for security, each organization and its work is unique. The security frameworks that your organization chooses to implement for compliance will vary based on the types of data you gather and store as well as the infrastructure on which you choose to deploy your systems.
While compliance with some frameworks (like PCI) is mandatory, it is important to remember that consumer protection is the objective of this compliance. Improved protection for your consumers also means improved protection for your brand and your organization’s bottom line. Auditing, reporting, and enforcement are all tools used to achieve that objective. Additionally, these common frameworks have given rise to a community of companies who specialize in supporting organizations with their compliance needs and reducing the burden of achieving and maintaining that compliance.
The Pursuit and Improvement of Cybersecurity Maturity
Cybersecurity maturity is similar to other forms of maturity within the technology realm. As organizations begin their journeys, there’s a constant theme of change and improvement. Sometimes the organization makes mistakes or misses critical aspects of the comprehensive approach. Over time, the volume of change slows until the organization reaches a point where all systems are compliant, processes are well-defined and documented, and reporting is relatively seamless.
Once maturity is achieved, the focus shifts from compliance to continuous improvement and refinement. Whether your organization has reached maturity or is still working towards it, you may benefit from partnering with a cloud-based compliance solution provider. Such a partnership can provide benefits including optimized reporting as well as identification of inefficiencies and ways to improve your existing processes. A cloud compliance solution can also expedite the process of audit readiness and assist with integrating multiple security frameworks into a consolidated plan that best fits your operating model.
Does It Matter Which Cloud Compliance Solution You Select?
The right partnership can make all the difference in achieving maturity and meeting the objectives of your cybersecurity plan. It’s also important to note that not all cloud compliance solutions are equal. You want to select a partner who understands the unique needs of your business and has a proven record of supporting organizations like yours.
When selecting a cloud compliance partner, your objective is to improve efficiency and streamline your processes. Ideally, the result is a compliance system that actively monitors your infrastructure’s state and accurately identifies potential threats and vulnerabilities. You’ll also want to ensure that the number of false positives and redundant alerts is limited so that your security staff can remain focused on fundamental and active threats without the noise of false signals and redundant warnings.
Finding the Right Cloud Compliance Solution
When you begin your search for a cloud compliance solution, it’s critical to identify which industry standards your organization desires or needs for compliance. If you manage consumer payment data, then PCI compliance is mandatory. If you host systems within the AWS ecosystem, then you may want to use AWS CIS as well. Once you’ve determined which frameworks you need, the next step is to identify providers who specialize in integrating these frameworks into a consolidated compliance management platform.
As an industry leader in cybersecurity, Orca Security’s Cloud Security Platform integrates with over 100 security frameworks, including industry standards like PCI, HIPAA, CIS for AWS, Azure, and Google, and location-specific frameworks like the EU’s GDPR. Orca’s custom compliance approach provides the flexibility to specify which frameworks to include in your compliance reporting. A single, comprehensive platform manages all of your compliance-related data in a unified system, reducing overhead and allowing your security team to focus on the tasks that best protect you and your users.
Achieve Cloud Compliance and Customize PCI Framework
Partnering with a cloud compliance security provider can dramatically improve the way in which you manage your compliance activities. If you would like to learn more about the Orca Cloud Security Platform and see how it can simplify and enhance the efficiency of your compliance activities, you can schedule a personalized 1:1 demo with one of their security experts.
