On Day 1 of the PCI Security Standards Council’s North America Meeting in Vancouver, Emma Sutcliffe, Global Head of Standards, kicked off the conversation. She previewed what we should expect from the upcoming Request For Comments (RFC) period, the version 4.0 draft of the Data Security Standard (DSS), and the goal of adding flexibility and support of additional methodologies to achieve security objectives.
What hasn’t changed?
Although the titles of some of the 12 requirements will change, the overall structure has not.
What has changed?
There will be two options for implementation and validation: defined and customized.
Defined follows the current PCI DSS requirements and testing procedures. Customized is a new approach focused on the intent of each PCI DSS requirement. The new approach is meant to provide greater flexibility for entities to demonstrate how their security controls are implemented to meet objectives. An entity must provide documentation that describes the customized implementation, which includes the “who, what, where, when and how” of the controls; the evidence required to support the stated intent; and how the controls are maintained and how effectiveness is ensured. An assessor must review the information provided by the entity to support the customized approach, define the testing procedures, and document the results of the testing within the ROC.
Either approach (defined or customized) may be used for a PCI DSS requirement and both options can be used within the same PCI DSS assessment.
What might change?
The Council is still uncertain on the fate of compensating controls, since they were intended to provide flexibility and a customized approach for each requirement. The good news is that using the customized approach will not require a business justification or technical constraint, whereas a compensating control did.
What can we expect in v4.0 of the Data Security Standard?
- The overall structure will stay the same
- The titles of the requirements have changed to more accurately represent each purpose
- Additional direction and guidance in the Overview
- The requirements will be organized into Security Objectives
- Clear identification of intent (objective) for each requirement
- The requirements will be refocused as outcome-based statements
- Expanded guidance
What will be included in the RFC?
- Full draft of PCI DSS v4.0
- Summary of changes and new approach
- Guidance for getting the most out of the RFC
- Sample reporting template for customized validation
- Instructions for accessing and completing the RFC
What is the timeline?
- First RFC of v4.0 draft: October 2019
- Second RFC of v4.0 draft: Planned next year
Stay tuned. Frazier & Deeter’s PCI team will share more updates from the PCI SSC meeting, as well as throughout the process of the RFC and the move to version 4.0 of the Data Security Standard.
About the Author:
Derrick Rice CISSP, CISA, QSA is a member of Frazier & Deeter’s Process, Risk & Governance Practice. PCI is one of his areas of expertise.