PCI DSS 4.0 vs 3.0: How to Prepare for Compliance Changes

PCI DSS 4.0 is the latest security standard mandate for the payment card industry. While security compliances such as the California Consumer Privacy Act (CCPA) or the Health Insurance Portability and Accountability Act (HIPAA) garner a lot of the headlines when it comes to security compliancy, there’s another security standard that affects countless organizations you should pay extra attention to this year. The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards mandated by payment card companies and is administered by the Payment Card Industry Security Standards Council.

How do you know if you fall under PCI DSS 4.0 jurisdiction? Well, if you accept payment card transactions you do. Not all organizations have to meet the same rigid level of security standards. The size of your business along with the size and number of transactions you process puts you in a certain level of PCI compliance. The highest level, for instance, is for those organizations that process more than 6 million payment card transactions a year.

Why the Need for PCI DSS 4.0?

The council is about to publish PCI 4.0 in the coming months. The updated standards were carefully drafted based on feedback, including over 13,000 comments from people within the industry. Although there have been updates to the document since its initial release, PCI 3.0 was released more than six years ago. In terms of cybersecurity standards, that might as well be forever. Not only have new technologies and defense strategies been introduced and embraced since then, attack methodologies have evolved as well.

Payment cards are digital forms of money, and where there is money, there are criminals attempting to steal it. According to an article in Forbes Magazine, 25% of all malware targets financial services. From e-skimming attacks to large data breaches that compromise the payment card data of millions of consumers at a time, PCI DSS must continually strive to ensure that its security standards evolve in order to ensure the security of card holders.

Compensated Controls Versus Customized Implementation

PCI DSS 4.0 uses a prescriptive approach to their security controls. As mentioned, not every organization can be expected to meet the same rigid standards. An older company saddled with legacy equipment will have a higher hurdle to contend with than a startup with all new equipment. In order to address this, PCI DSS 4.0 allowed for compensating controls in situations when an entity could not meet the explicit requirements as stated. The process of getting a compensating alternative approved had to meet the following criteria.

• Meet the intent and rigor of the original PCI DSS requirement
• Provide a similar level of defense as the original PCI DSS requirement
• Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)
• Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement

The process of implementing these compensating controls was considered burdensome and time consuming. Entities were required to provide business or technical justification for using these alternative methods in order to prove the intent of the alternative solution.

One major change is that PCI DSS 4.0 vs 3.0 will replace the concept of compensating controls with customized implementations. The purpose of this change is to provide organizations greater flexibility in how they meet the standards. While compensating controls were viewed as a temporary or short term solution to satisfy a PCI auditor at the time, it is believed that companies will implement customized solutions as a more permanent solution for compliance. This new approach will also help streamline the approval process as customized validation will not require a business or technical justification for meeting the requirements using alternative methods. Instead, requirements are now outcome based. Controls are now measured on their security outcomes.

Technical Changes in PCI DSS 4.0 vs 3.0

While the twelve core requirements are still in place and haven’t been modified to any real degree, some things will change. Although the exact details aren’t public knowledge yet, it can be expected that one area that will likely change is passwords requirements. Expect changes such as the following:

• Password lengths will be extended from 7 characters to 15.
• Passwords and passphrases for accounts must be changed at least every 12 months or upon suspicion of compromise.
• Passwords may be required to incorporate a special character in addition to letters and numbers.

The latest version will recognize the growing need for multifactor authentication. While MFA is currently required for all admin and privileged accounts, it will most certainly be required for all users when they access their accounts.

One obvious technical shift since the initial release of PCI DSS 3.0 is the dramatic transition to cloud computing. PCI DSS 4.0 will support the use of the cloud and other serverless computing technologies. New testing methodologies will also be included in order to verify the presence and effectiveness of implemented controls.

How PolicyPak Can Help

PolicyPak is a modern desktop management system that simplifies management, security, automation, and reporting through policy enforcement. While PolicyPak cannot help you with some of the core requirements, such as “restricting physical access to cardholder data” or “regularly test security systems and processes,” we can help you with many of them.

For instance, modifying your current password requirements just became a lot more difficult in the new era of the anywhere workforce. How do you avoid duplicative efforts for domain-joined and MDM-enrolled machines, not to mention deploy the new policies to remote standalone and BYOD machines. The answer is PolicyPak Security Manager. In a single step you can create the new password policy you need and export it using PolicyPak Security Manager (see the screenshot below). You can then deploy the new password settings using your preferred MDM management solution such as Microsoft Endpoint Manager or PolicyPak Cloud, which can force your new policy to any connected Windows device.

Securing and Protecting your PCI desktop environment

PCI DSS 4.0 requires that you “use and regularly update antivirus software or programs” in order to protect against all types of malware. It also requires you “develop and maintain secure systems and applications” in order to limit the potential for exploits by deploying critical patches in a timely manner. PolicyPak has two tools to help you do these things. The first is PolicyPak Least Privilege Manager.

PolicyPak Least Privilege Manager uses our signature security tool,  SecureRun™, to provide blanket level protection. Think of it as a blanket allow list without the hassle. It operates under the simple premise that when users download files off the Internet or copy them from a USB drive, they own the file and must be on a list of trusted users to be able to run it, as seen in the following screenshot.

When SecureRun™ is on, PolicyPak Least Privilege Manager checks to see who owns the executable, MSI, script, or Java JAR file. SecureRun™ then maintains a list of who can initiate new processes. Below is an example of the default list that you can modify to meet your needs.

A user that is not on the SecureRun™ Members list is not trusted, thus blocking processes originating from that user. The result is that properly installed applications can run perfectly well, but all unknown applications and scripts are blocked as shown below in the following screenshot.

Simplifying the Patching Process

Patching used to be a relatively painless process when everyone worked on-prem with their assigned domain-joined computer. With so many employees spread out amongst isolated remote workspaces, how does a network admin ensure that endpoint operating systems and applications remain up-to-date? The answer is PolicyPak Remote Work Delivery Manager. Whatever it is that your remote employees need, be it perpetual file updates, new software deployments or the latest packages, PolicyPak Remote Work Delivery Manager gets it to them in a totally automated way. Watch this video demonstration on how to automatically update your applications using SMB and web based shares.

Start Preparing for PCI DSS 4.0 Today

Like PCI DSS 4.0 vs 3.0, many management systems were designed for modern management scenarios. Update your enterprise to PolicyPak to not only meet the new PCI 4.0 standards, but also the new challenges of managing a hybrid cloud environment within an insecure world.