PCI DSS in the New Era for Data Protection

Flashback: February 2016. The PCI Security Standards Council issued this statement in relation to the continuous development of the PCI DSS- one of the leading global cyber security standards: “The payments industry recognizes PCI DSS as a mature standard(…). Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard”

It seems as so much has happened in technology and cyber security since this statement above. In fact, so much has happened, that the PCI DSS is now facing more than just modifications, but a significant update to align with recent trends and changes. Version 4.0 due to be released in mid-2021, will present significant changes, signifying the change of approach for security in many domains, especially within the payment industry, that is always full of innovation and technology advancements.

This may teach us that from the perspective of information security, anything can happen in a very little amount of time and even when things seem static, stable or “mature”, under the surface there are strong currents of change and development that can burst out suddenly and create tectonic movements – we should always be ready for them and tap into those sub subterranean movements to understand how they will shape the future.

Indeed, since the PCI SSC issued this statement, the technology has evolved dramatically and even revolutionised itself, especially when we think about product and application environments. We have seen containers, serverless functions, new ways for delivering software and applications and a whole new approach for protecting applications and product environments continuously, called DevSecOps. And maybe above all, the ever-accelerating massive transition to the “Cloud”.

So with PCI DSS v4.0 approaching, what are the main challenges in modernising the standard so that it fits today’s trends and how would we expect the PCI security standards to address evolving changes in the technology and security worlds?

1. Addressing modern environments – Better alignment with cloud architecture and with modern product environment and development practices. Address and include specific requirements and guidance around DevOps processes and Continuous Integration, Continuous Delivery (CI/CD) and Continuous Deployment methods.

2. Better alignment with industry security standards and frameworks – Security standards are widely adopted by businesses today. This includes ISO 27001, NIST CSF, CIS 20 and even more specific ones such as ISO 27017 for cloud security. Security is much more regulated and audited today and it is difficult to maintain compliance with one standard, much less multiple security standards and frameworks. PCI DSS must have the ability to “communicate”, rely and map to additional industry standards, so that compliance is a simpler task and businesses can focus on the security controls an objectives, rather than audits and submissions.

3. Better flexibility – In the early days of PCI DSS, security solutions and controls were a simpler matter. Firewall, IPS/IDS, antivirus, audit trail, penetration testing, policies – and you had your security programme. Today, with the abundance of security solutions, techniques and tools in the market, managed services and not to mention the less traditional corporate environment and new perimeter – there are much more ways to reach the desired security outcome or objectives. The PCI DSS should incorporate greater flexibility, be less specific and encourage multiple ways to reach the intended goals.

4. Security as a continuous process – As already mentioned in relation to modernising the standards when dealing with DevOps and CI/CD methods and tools, more than ever in the past security should be a continuous process, and security compliance should be achieved and validated continuously using dedicated auditing, reporting and monitoring methods and not just during the annual assessments, or by external auditors. Changes are also much more frequent and the dynamic nature of the technology environment requires continuous validation, scope and impact assessment.

With the above principles in mind, the PCI DSS (and any major security standard) will be able to support today’s security industry challenges, such as the transition to cloud, new software delivery processes and the dynamic and the continuous nature of data protection.

Guest writer: Nadav Shatz,

Director of Advisory and Architecture at Orange Cyberdefense | Trusted Cyber Security Advisor

OrangeCyeberDefense.com