Beware of the PCI DSS v4.0 Rabbit Hole

The incoming PCI DSS 4.0 security standard could find many merchants tumbling down a compliance rabbit hole. But there’s still time for brands to adjust their security strategy and stay on their feet.

Recently, we looked at how PCI DSS v4.0 requires merchants to view security as a continuous process and how this demands a new mindset. This shift is vital for organizations as they switch to PCI DSS 4.0 standards ahead of the retirement of v3.2.1 in March 31, 2024. The full features of PCI DSS v4.0 are required a year later.

The scope of PCI and the sheer number of requirements has snowballed since the standard arrived in 2004, which makes sense. The world is now a very different place – and it’s getting riskier too.

Almost half (47%) of IT professionals believe that security threats are increasing in volume or severity, according to a 2023 report by Thales. More than one-third (37%) experienced a data breach in the past 12 months. Simple human error, misconfiguration or other mistakes were a leading cause of problems.

Phishing is a growing issue – as illustrated in some high-profile instances reported by Tech.co. Meanwhile, the Zscaler ThreatLabz 2023 Phishing Report charts a 47% year-on-year increase. Apparently, attackers are exploiting emerging opportunities related to debt relief programs, ChatGPT and the job market.

The task of keeping pace with risk is becoming far more onerous.

Can you spare 10x the resources?

PCI DSS 4.0 covers networking security controls, account data storage, patching and vulnerability scanning – at a depth not seen before. More than 60 requirements are specified for v4.0, with 13 needed by March 2024 – so the pressure is on. Achieving compliance may require up to 10 times the resources spent by organizations previously — even if teams can meet the upcoming deadlines.

But what happens if they don’t make it, especially in the demanding area of secure storage?

In essence, merchants put their certification and credibility at risk. Exactly how the acquiring banks respond to this in terms of fines or transactional increases remains to be seen. Fortunately, there are some mitigation measures in place.

Merchants can state that they’re using compensating controls or following a Customized Approach to address specific requirements. In other words, the right ‘intent’ is there and some measures are in place, even though the standard hasn’t been followed to the letter currently.

The new Attestation of Compliance template includes a checkbox to show if any compensating controls or Customized Approaches have been used with the top-level PCI requirements.

On paper this sounds like a pragmatic move, perhaps buying time as companies to invest in new systems or reorganize their processes. But these are not soft options.

Watch out for rabbit holes

All merchants and service providers will have to complete around 10 Targeted Risk Analysis (TRA) templates for those specific PCI DSS 4.0 requirements, plus more TRAs and evidence of mitigating defenses for any they fail to meet and where they follow a Customized Approach (CA).

TRAs require close examination and sign-off from Qualified Security Assessors (QSA) … not just once, but repeatedly until they are superseded by full PCI DSS 4.0 compliance.

This could feel as if you’re tumbling down a bottomless rabbit hole.

The uncomfortable truth is that merchants who’ve ‘winged it’ with PCI until now — and somehow succeeded in avoiding a data breach in the meantime — will find themselves in the spotlight. Any straw man frameworks and workarounds will be laid bare. QSAs, acquiring banks and the card providers will know there’s a question mark hovering over them.

And if a data breach does occur, then the consequences could be devastating.

Finding a Plan B

As March 2024 gets closer, there’s still time for merchants to rethink their PCI DSS security strategy.

Maybe sorting your own compliance was simple enough in 2004, reasonably straightforward in 2015 and – at least — bearable in 2022. But do you want to scale the heights of PCI DSS v4.0 on your own? And do you have the time and resources?

An alternative path is available where you team up with a payment partner who will process and transmit all cardholder data to the payment provider on your behalf via the cloud. Put simply, sensitive data never enters your environment – putting it beyond the reach of rogue agents, hackers and phishing specialists.

Crucially this also means your systems stay beyond the scope of PCI DSS v4.0. Your partner provides the Attestation of Compliance you need.

Now you can breathe easily. Overnight, a mountainous PCI DSS v4.0 readiness program is reduced to a simple set of checks to achieve compliance. And those hours of investigation with a QSA circling around the same issues repeatedly over weeks and months, can be replaced by a simple conversation taking minutes.