Explaining the PCI DSS Evolution & Transition Phase
The boon of online business and credit card transactions in the early 90s and 2000s resulted in an increasing trend of online payment fraud. Since then, securing business and online card transactions has been a growing concern for all business and payment card companies. The increasing cases of high-profile data breaches and losses from online fraud emphasized the need for urgent measures and a standardized approach to address the issue. To tackle the growing concerns of payment card fraud and cybercrime, industry giants such as Visa, MasterCard, and American Express together created a global security standard to protect online card payments.
Payment Card Industry Data Security Standard (PCI DSS) was developed and established to foster a safe cardholder data practice in the industry. Further, the standard was expanded to maintain an internationally uniform standard for all payment card transactions. Today, PCI DSS is an internationally accepted standard and best practice that all merchants and service providers are expected to comply with.
History of PCI DSS
PCI DSS was first introduced in December 2004. Prior to this, in 2001, the payment card brand, Visa, was the first company to establish its own set of security standards and requirements for businesses accepting online payments. Thereafter, other payment brands followed suit by introducing their own set of security standards for online payment transactions. However, with this, merchants and service providers faced a huge challenge to meet the requirements of multiple payment brands. The lack of a unified approach to security requirements resulted in confusion among merchants who struggled to satisfy the disparate compliance requirements.
To address this issue, all of the major payment brands came together to establish a uniform payment security standard, and regulate the card transaction and processing among merchants and service providers. Together, they formed the Payment Card Industry Security Standards Council (PCI SSC), and established the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS 1.0 was debuted in December 2004. All merchants and service providers who process cardholder data are expected to comply with the PCI DSS Standard. Since the establishment of the Council, there have been several updates to the Standard, with the latest version introduced in March 2022. The Security Standards Council continues to regularly update the Standard to address the evolving threat landscape and reflect the current best practices for the payment card industry.
How has PCI DSS Standard Evolved over the years?
From the first version, to its current release, the Security Standards Council has constantly kept up with the evolving threat landscape. The different versions of the PCI DSS can be seen in the follow timeline:
PCI DSS Timeline
PCI DSS Evolution Explained
|
Year |
PCI DSS Standard |
|
December 2004 |
PCI DSS v1.0 introduced. |
|
September 2006 |
PCI DSS v1.1 updated to address web application security issues. This required implementation of firewalls for web-facing applications and custom application code to be professionally reviewed. |
|
October 2008 |
PCI DSS v1.2 includes wireless network issues. This required the implementation of new antivirus software and wireless network security. |
|
August 2009 |
PCI DSS v1.2.1 provided clarification and improvements in multiple areas. This introduced more consistency in the format and language of the Standard, and relevant supporting documentation. |
|
October 2010 |
PCI DSS v2.0 was introduced to provide clarity on the PCI DSS Requirements, and flexibility that helps merchants meet the requirements and achieve compliance. The changes and updates introduced in this version included user access restrictions, data encryption, and managing encryption keys. |
|
November 2013 |
PCI DSS v3.0 was introduced to address the knowledge gap and awareness pertaining to security and emerging cloud-based technologies. For this, the standard provided information and guidelines about cloud-based technologies and penetration testing. |
|
April 2015 |
PCI DSS v3.1 was introduced as a short-term update intended to last until its retirement on October 31, 2016, to allow merchants time to adopt and achieve compliance for changes in the April 2016 PCI DSS v3.2. |
|
April 2016 |
PCI DSS v3.2 was introduced in response to the growing threats to payment information. This version introduced new techniques and supporting guidelines that helped merchants prevent, detect, and respond to cyber threats. This required the implementation of Multi-Factor Authentication (MFA), and also accounts for Designated Entities Supplemental Validation (DESV), Transport Layer Security (TLS), and the performing of internal and external scans. |
|
May 2018 |
PCI DSS v3.2.1 was introduced to provide clarification and revision in some of the requirements in the original PCI DSS v1.0. |
|
March 2022 |
PCI DSS v4.0 includes expanded MFA requirements, clearly defined roles and responsibilities for each requirement, and a new set of requirements that address the ongoing threats. |
|
March 2024 |
PCI DSS v3.2.1 will be retired and replaced with PCI DSS v4.0. |
|
March 2025 |
Future-dated PCI DSS v4.0 requirements will officially become effective. |
PCI DSS 4.0 Version- The Latest Updates and Changes
PCI DSS 4.0 is the latest version. It was released in March 2022, and is officially set to be fully effective by 2025. The Security Standards Council allows time for organizations to embrace the latest updates and changes by offering a transition period until 2025. PCI DSS v3.2.1 will remain active until March 31, 2024, giving organizations one year to implement the new Standard.
This latest version is designed to refresh the baseline to meet the technical and operational requirements for the security of sensitive account data. This version offers clarity, provides guidance, and also facilitates flexibility by allowing the implementation of customized security solutions.
The compliance levels remain unchanged, which continue to include 4-levels for merchants, and 2-levels for service providers. These are determined by the annual number of transactions a merchant or service provider processes over a year. PCI DSS 4.0v involves 65 Requirements, 54 covering all entities, and 11 that only pertain to service providers.
Some Key Changes Introduced
- Customized Approach – The latest PCI DSS 4.0v allows for a customized approach that offers organizations the flexibility to define their control, as opposed to a specific, prescribed control as noted by the DSS. However, with a customized approach comes additional responsibilities that include building and testing controls, monitoring the effectiveness of the control, completing the associated control matrix, and completing a Targeted Risk Analysis (TRA) for each Customized Control. Also, it should be noted that “several requirements do not have a stated Customized Approach Objective; the customized approach is not an option for these requirements.”
- Formalized Annual Scoping – Conducting annual scoping was something organizations were expected to undertake in the previous version. PCI DSS v4.0 formalized this requirement, subjecting it to validation by an assessor.
- Assigning of Responsibilities – Organizations are expected to define and appropriately communicate roles and responsibilities, and make personnel accountable for their respective tasks. The roles and responsibilities are also required to be formally assigned and documented. This requirement is effective immediately for all v4.0 assessments.
- Encryption of SAD – PCI DSS 4.0 requires the organization to “Examine data stores, system configurations, and/or vendor documentation to verify that all SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.” This requirement is a best practice until March 31, 2025.
- PAN Encryption – Requirement 3.5.1.1 in DSS v4.0 specifies that the hashes used to render PAN unreadable are to be keyed cryptographic hashes for the entire PAN number. This is done in association with the key-management processes and procedures, which should be in accordance with Requirements 3.6 and 3.7. This requirement is a best practice until March 31, 2025. Further, according to Requirement 3.5.1.2, if your organization is using disk encryption for non-removable media, then the PAN must also be rendered unreadable using a different mechanism that meets Requirement 3.5.1. It is important to note that this requirement is a best practice until March 31, 2025.
- Strong Authentication Requirement – The new version includes strong authentication requirements, including the need to review all user accounts and related access privileges, as per Requirement 7.2.5. This requirement is a best practice until 31 March 2025. Further, Requirement 8.4.2 specifies the implementation of Multi-Factor Authentication (MFA) for all access into the CDE. This requirement is a best practice until 31 March 2025.
Requirement 8.3.6 indicates the implementation of strong passwords with a minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). The passwords must contain both numeric and alphabetic characters. “This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Until 31 March 2025, passwords must be a minimum length of seven characters in accordance with PCI DSS v3.2.1 Requirement 8.2.3.”
For more details about the updates and changes, the SSC has published its official document, Summary of Changes from PCI DSS Version 3.2.1 to 4.0.
Transition from PCI DSS 3.2.1 to PCI DSS 4.0
The PCI Council has offered a transition period for organizations to embrace changes and updates from PCI DSS v3.2.1 to PCI DSS v4.0. For this, PCI DSS v3.2.1 will remain active till March 31, 2024. The transition period is offered to allow organizations to get familiar with the changes and updates to accordingly implement the necessary requirements and update their reporting standards, templates, and plans. After the transition period, PCI DSS v3.2.1 will be retired, and v4.0 will be the only active version of the standard.
Future-Dated Requirements
In addition to the transition period, the phase during which both the PCI DSS version v3.2.1 and v4.0 will be active, an additional amount of timeframe would be granted for phasing in new requirements that are identified as “future-dated” in v4.0. Requirements that are future-dated are considered best practices until the future date. While organizations are not required to validate the future-dated requirements until they are effective and applicable, organizations are encouraged to implement controls to meet the new requirements and conduct a final assessment.
Going Ahead –Step towards Achieving Compliance
Achieving and maintaining PCI DSS 4.0 Compliance is a continuous process and requires constant monitoring. While the implementation of certain latest requirements and updates are future-dated and stated as a best practice until March 2025, it is still recommended that organizations kick-start their compliance initiative in order to meet the future-dated requirements of the new version. It is important for organizations to first understand the updates and latest requirements introduced in PCI DSS 4.0v. The next step would be to undergo a readiness assessment and accordingly evaluate and plan a budget for appropriate resource allocation. Performing a readiness assessment will provide a clear roadmap for your organization towards developing activities and implementing measures to satisfy the latest requirements. This will ease the compliance process and help your organization determine and implement the security controls required for the new Standard.
About the Author:
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
