PCI DSS is not a new thing, in fact, it has been around since December 2004. As with any security programme it has been regularly updated to ensure it is fit for purpose in the modern day. It’s due another major change moving from its current iteration (3.2.1) to Version 4.0. The latest version is mandatory from April 2024 which means that after this date, once your compliance with 3.2.1 has run out, you must move to v4.0.
With v4.0 being a major upgrade, there are a plethora of changes. Too many to discuss in this posting so instead we have chosen to discuss the areas which affect websites, in particular, those which completely outsource the processing, storage and transmission of any Cardholder Data (CHD). This will impact those websites that use URL redirects or iFrames to capture Cardholder Data.
If you have these types of Third-Party Service Provider integrations within your E-com environment, you’ll typically complete a PCI DSS Self-Assessment Questionnaire A, also known as a SAQ-A.
The Changes and Potential Impact
Let’s work through the changes and how they may impact on your business.
Kicking off gently with a couple of business operational controls. First off, a formal requirement for data retention and disposal policies and procedures specific to paper-based records has been included (3.1.1, 3.2.1), which could incur additional operational overheads for entities still receiving acquirer chargeback letters or storing any other paper receipts or reports containing CHD.
Then the focus shifts to vulnerability management (6.3.1) and the requirement to have a defined vulnerability management documentation set, supplemented by a risk management process to assess, measure and rank relevant vulnerabilities. Again, soft cost overheads will be incurred to evaluate, and risk treat any potential vulnerability exposures.
Supplementing the new vulnerability management processes is the requirement to scan your in-scope web servers for vulnerabilities on a quarterly basis. This will result in a financial impact to the business as these scans must be conducted by a PCI Approved Scanning Vendor (ASV), however shop around as these scans should be relatively inexpensive.
Some changes to existing technological controls would not appear too significant, tweaks to current configuration settings, which should not impact financially but could prove problematic. Primarily around access control mechanisms, changes include increasing the minimum password length to 12 characters (8.3.6), implementation of password history so users cannot use any of the previous four passwords (8.3.7) and a relaxation in the use of shared or generic accounts (8.2.2).
Saving the best until last; a combination of operational controls and technological solutions will be required to manage scripts that are loaded from your payment page and ran within the context of the consumers browser (6.4.3) and any tampering or change of HTTP headers or other content of the payment page hitting the consumers browser (11.6.1).
The introduction of these two new controls has invoked much industrial consternation – so much so that the PCI SSC have promised an information supplement to provide guidance on how to specifically meet the intent of these new control requirements. We wait expectantly!
Planning for Change
Fail to prepare, prepare to fail!!! The key to most successful projects or programmes to manage change is undertaking an initial gap analysis, or readiness assessment; and PCI is no different. These will identify where current security controls are in place or insufficient and what needs to be done to ensure those that are lacking are bought into compliance. The results should implicitly form the foundation for the project plan toward full compliance.
PCI DSS can be a minefield. It doesn’t need to be. We can help you simplify the whole process and where possible, reduce your scope. If we can reduce your scope, we can reduce your risk, the efforts required to maintain your compliant PCI DSS programme and of course, reduce the initial and ongoing costs.
If you are unsure where you stand, let’s have a chat. We offer a variety of services from scope reductions to QSA assisted SAQ’s to full audits and the completion of your Report on Compliant (RoC) and Attestations of Compliance (AoC). Right now, it may be worthwhile looking at your existing obligations and mapping those against the new standard so we can find the gaps allowing you to plan ahead.
To speak with us regarding a PCI DSS v4.0 GAP analysis, call 0203 855 0895.