PCI DSS v4.0: A Regional Perspective from Brazil

After nearly six years with the PCI Security Standards Council (PCI SSC), Carlos Caetano, Associate Director for the LA Region of Brazil, has decided to take on a new challenge with another company. The Council would like to take this opportunity to thank Carlos for his outstanding service to our organization. Under his leadership, PCI SSC held successful Latin American Forums, created the Brazil Regional Engagement Board, and established relationships with new Participating Organizations in Brazil. Carlos has served as Chair of the PCI SSC Translations Committee and has been a terrific spokesperson for the Council. PCI SSC wishes him all the very best in his future endeavors.

Leia ou ouça em português aqui.

Carlos Caetano: Welcome to our podcast series, Coffee with the Council. I’m Carlos Caetano, Associate Director, LA Region for Brazil for the PCI Security Standards Council. Today, we’ll be talking about PCI DSS v4.0 with regional perspectives from Brazil. My guests for this episode are Vanessa Kruger, Card Scheme Compliance LATAM at Adyen; Fernando Bucelli, Information Security Specialist at Cielo; and Gabriel Carvalhal, Cyber Security Team Lead at CloudWalk. Welcome!

Gabriel Carvalhal: Thank you, Carlos. It’s a pleasure to be here with you.

Fernando Bucelli: Also, thank you. It’s good to be here with you for this podcast.

Vanessa Kruger: Yeah, definitely. Thanks for the invite. It’s a pleasure to be here.

Carlos Caetano: Nice, guys. It’s amazing to have Brazil Regional Engagement Board members here with me to talk about the subject of the moment, PCI DSS v4.0, and especially bring to our global audience, perspectives from Brazil. Vanessa, I know Adyen has been looking closely at PCI DSS v4.0 since the first RFC back in 2019 and has been working on a plan for adhering to PCI DSS v4.0. Can you tell us a bit about this plan and how our listeners can learn from your experience so far?

Vanessa Kruger: Sure, Carlos. As a global payment processor, Adyen takes security very seriously. As such, since the RFC was released back in 2019, our security team, together with the PCI team – yes, we do have a PCI team at our headquarters in Amsterdam – so they have been working hard in the background to do a full assessment of the new standard and how this will impact us and our customers. So last August, we published an article on our blog about PCI DSS v4.0 which we shared with our merchants in order to help them prepare for the new standard. We will continue to create and publish articles about PCI DSS v4.0 throughout the transition period, and the focus this year actually is on informing internal and external stakeholders of the upcoming changes. We have started the internal communication to all regions in February and, this month, we had also a company-wide update. The next step is to launch training for our external-facing teams. In June, we also plan to start informing our partners and customers through several communications channels, such as webinars, mass mail, and system messages.

Carlos Caetano: Wow. Sounds like a great plan you have there. Fernando, if you’ll allow me to say, you are an old-timer here in Brazil when the subject is PCI DSS. I mean, I remember you as a former QSA assessing PCI DSS version 2.0 for many years, and for many years, supporting Cielo and the merchants with PCI DSS adherence and seeing the standard evolution. Also, you actively contributed to the PCI DSS v4.0 RFC. What are your impressions of the new PCI DSS standard?

Fernando Bucelli: Hi, Caetano, it’s true. We’ve been on the road for a long time, and we saw the evolution of the standard according to market needs. Some topics caught my attention in the new version of PCI DSS, among them controls that were previously addressed as a good practice by QSAs and are now specified in version 4.0. An example is pre-authorization encryption of sensitive data. It may seem obvious, but many entities have set aside this control and some data breaches have happened for this reason. And talking about a data breach, an important control addressed in this version 4.0 is the review of your administrative and also application credentials. The attack surface has increased over the past two years with more people working from home, like us. And of course, security controls need to be tightened as well. We must increase the security in all of our processes.

And a last topic that I believe may bring some impacts is related to compensating controls. In a scenario with numerous vulnerabilities being discovered day by day, getting clean vulnerability scans every three months has been a challenge for companies. According to Annex B of PCI DSS v4.0 for compensating controls, such controls can’t be used. For example, where tasks must be performed with some recurrence, if you miss the deadline to run the scan and fix the issues, you won’t be in compliance with PCI DSS and you won’t be able to use your compensating control. And I believe this will bring a headache for some companies. This is my beginning impressions for PCI DSS v4.0.

Carlos Caetano: Nice. Well, you bring up some important points there and I’m sure that our listeners are going to take attention and some careful actions about. So, Gabriel, I’d like to borrow your technical cybersecurity background now and talk about one of the goals we have for developing PCI DSS v4.0, which is to ensure the standard continues to meet the security needs for the payments industry. What are your impressions on the new requirements to protect against phishing attacks and to manage all payment page scripts?

Gabriel Carvalhal: Sure. I think it’s great because now with a specific requirement for that you need a deeper diving in two ways that I think in the end connect each other. You go from inside the company, where you expect to have more controls and tools available, to the client side where there’s less or even no control but it’s still your actual responsibility about security.

About phishing, I may say just start right now and try to cover all the techniques. They are becoming more and more sophisticated. You should have at least a combination of active testing with phishing campaigns, regular phishing campaigns, to raise awareness inside the company. And, have good detection and response solutions for when the first barriers have failed, and it will probably fail sometime. But about page scripts, I say the same: just start right now, try to work and map all the scripts you have, and keep them updated, secure and include third-party ones you usually use.

Carlos Caetano: All right. Well, this has been great so far. Vanessa now let’s focus a bit on merchants. How can merchants be more involved with PCI DSS v4.0 and get the maximum out of the transitional time that will retire PCI DSS v3.2.1 and put PCI DSS v4.0 as the only version to be worked with, on March 31st, 2024?

Vanessa Kruger: I would say that staying informed and preparing in advance is key to ensure a smooth transition to version 4.0. The more we, as payment providers, can inform and support merchants on the transition, the better and safest for both sides. Some requirements may take some time to be implemented, depending on the payment environment, for example: card present, card not present, mobile, etc. So, it’s important that merchants start preparing as soon as possible to ensure that by April 2024, they are fully compliant with the new standard and requirements.

At Adyen, we have an automated process to request PCI validation documents from our merchants annually. So, from next year onwards, we will start actively requesting documentation from PCI DSS v4.0, and of course, provide plenty of resources to support them throughout this transition. As an example, we already started assessing the new SAQs launched last Friday, and we will update our blog with the main highlights and changes accordingly. So, stay tuned.

Carlos Caetano: Nice. Very good. So now, Fernando and Gabriel, as our time is almost up, I’d like to have your impressions on two important new tools, if I can call them as such, introduced in PCI DSS v4.0: the target risk analysis, and the customized approach. So, Fernando, how do you see the companies working with the target risk analysis to support the adherence to PCI DSS v4.0? And Gabriel, will the customized approach help CloudWalk on the flexibility the company looks for?

Fernando Bucelli: Caetano, about the target risk, it certainly will be a challenge in my opinion. What I saw during these years, was a poor risk analysis process to deal with this control. Companies often benefit from other risk analysis process that do not meet all the requirements of a payment environment. An example of this risk analysis is a financial risk analysis that can have some security controls, but not address all the payment systems needed. I can say that this challenge will not ease, but in my opinion, checks also can support this with some tools and documents to deal with these issues, and of course, we will have the help of PCI QSAs.

Gabriel Carvalhal: From my side here, of course, I think it’s always good to have more space for different ways of thinking for a solution, but especially nowadays, when we have a broad range of technology at our disposal. But about the customized approach, it isn’t an easier way. Definitely no, because you need a very strong knowledge of your environment and a very well-defined risk assessment to support it because, in the end, it’s your QSA that will have the last word about it.

Carlos Caetano: Yeah, good. You guys brought up some very important points. I mean, we are bringing flexibility, but flexibility has a cost. And it’s true that the companies are going to need to work together with the QSAs to make it happen. Man, time really passed fast, or was it just me that got so entertained that I did not even feel the time passing? Well, to end, a reminder to our audience that you all are active members of the Brazil Regional Engagement Board. If you can summarize in one word or a sentence what it means for you and your company to be an active member of the PCI Brazil Regional Engagement Board, what can you say?

Vanessa Kruger: I would say that we work together to ensure a safer payment environment across the region.

Fernando Bucelli: Wow. Working in community to solve community problems.

Gabriel Carvalhal: Yes. In one word, I would say “commitment” with the security of our customers and all the payment industry as well.

Carlos Caetano: Excellent, excellent. And we are really glad to have you all as members of the Regional Engagement Board and appreciate that. So, before we wrap up, since you are on the Coffee with the Council, we like to ask our guests how they take their coffee, or if you are not a coffee drinker, what do you prefer instead? Vanessa, we can start with you.

Vanessa Kruger: Well, I’m definitely a coffee lover. Black and strong coffee without sugar. You know, there’s always an excuse for coffee chats throughout the day.

Fernando Bucelli: Well, in my case, Caetano, a black coffee without sugar six times a day – or more – depending on the problems we have to solve.

Gabriel Carvalhal: All right. I like coffee. My favorite is probably the classic Brazilian dripped, or the Pingado, world-famous Pingado. But I prefer beer for most occasions.

Carlos Caetano: That’s nice options, good options. I like a double espresso in the morning to start my engine, if you know what I mean. So that’s great guys, thank you for joining me on Coffee with the Council. It’s been a pleasure having you all.

Fernando Bucelli: It was great to be part of this podcast, thank you.

Vanessa Kruger: Definitely a good opportunity to discuss new requirements of PCI DSS v4.0 with my colleagues here. Thank you.

Gabriel Carvalhal: Yes, thank you all for the invite, Carlos and Council.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.