PCI DSS v.4.0 is here. Are you ready?

Background

PCI-DSS 4.0 was shaped by insights from over 200 organizations and 6,000 suggestions and tailored to meet the changing digital threats of modern payment ecosystems. Many changes are due to the payments industry's increased focus on cloud migration, insider threats, and the surge in online commerce exacerbated by the pandemic.

Additionally, PCI-DSS 4.0 is unique in offering the opportunity to achieve compliance via tailored customization to address and accommodate dynamic technologies and diverse implementations. While PCI-DSS continues to be mandated for an organization to perform the expected due diligence, the new 4.0 standard intends to allow companies to consider the “intent” of a PCI DSS objective and account for their unique infrastructure and risk level exposure.

This creates unchartered territories with new questions and more limited precedents. PCI Compliance Assessments are always time-consuming and resource-intensive; these new requirements add an element of uncertainty to successful completion.

Who does it apply to?

Any organization that deals with Credit or Debit cardholder data.

If you:

• Store
• Transmit;
• Process; or
• Can Otherwise Affect the Security of

Sensitive Credit or Debit card data, you are subject to PCI DSS 4.0 requirements.

In other words, your cardholder data environment (CDE) is in “in-scope,” and you are subject to its guidelines.

There are 4 Levels of PCI Compliance. What are my requirements?

The PCI-DSS payment security standards apply to anyone who works with and is exposed to payment data, cardholder information, and financial accounts. There are separate requirements for merchants and service providers. Service providers are defined as business entities that are not a payment brand but are directly related to the processing, storing, or transmitting of cardholder data on behalf of another organization₂.

For Merchants:

Source: https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/merchants-need-to-know.html

For Service Providers

Service providers include companies that provide services that affect or may affect cardholder data security. Such services include managed service providers with managed firewalls, IDS / IPS, other services, and hosting service providers.

Source: https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/service-providers-need-to-know.html

I am an existing VGS customer. What changes for me?

As a result of working with VGS, you are already in good shape with the default descoping of PCI compliance.

To ensure compliance with PCI 4.0:

• Prevent revealing any sensitive information in any endpoints that aren't part of the integration scope
• Confirm that appropriate personnel have limited access/roles and responsibilities to protect the data flow further and avoid any changes
• Ensure a change-and tamper-detection mechanism is deployed.
  • Per PCI DSS v.4.0, “a change- and tamper-detection mechanism is deployed to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.”
  • For VGS Collect/Show: Tamper detection is the responsibility of the customer who is implementing the IFrame. VGS supports this capability by providing the hashes and integration guide.
  • For VGS Mobile SDKs: VGS supports these with a signed library or similar hashes that provide guarantees around tamper detection of the libraries. For the actual integration, VGS would validate that the events registered to the UI elements aren't allowed to bypass the VGS Collect SDK.
• Perform quarterly network scans by Approved Scan Vendor (ASV).
  • VGS does not currently directly offer ASV services, but we refer our customers to trusted ASV providers with whom we have good relationships. If you are already working with an ASV solution, you can continue working with your existing ASV to complete the scans on your behalf.

If configured correctly, VGS will continue to ensure that no sensitive cardholder data is exposed to your corporate environments.

Integration with VGS provides a solid foundation for minimizing enterprise risk around storing and handling sensitive data. You can use VGS' features to control how and where data is forwarded and eliminate additional compliance burdens while keeping the existing payment data flow out of scope for PCI compliance. The VGS implementation enforces the majority of the PCI DSS requirements that serve as evidence in a PCI assessment.

I need to implement PCI DSS 4.0. What should I be planning?

If you haven't begun, start immediately!

Here is a list of considerations (there are more) to get you started -

Digital Identities and Authentication

• Passwords: Improved length and complexity and more frequent password changes
• Expansion of Requirement 8: Clear instructions to confirm who users are and ensure they're really who they say they are
• Increased limitation and monitoring of vendor and third-party accounts
• Implementation of Multi-Factor Authentication for all CDE access

Encryption

• Expanded firewall terminology to support a broader range of technologies
• Improved management of cryptographic keys and certificates

Continuous Monitoring

• 6-monthly review of access privileges
• More frequent data discovery to locate sensitive information in cleartext
• Annual review and update of security awareness programs

How can VGS help me meet my PCI DSS Compliance needs?

A typical PCI Assessment covers a spectrum of needs across 12 requirements. We have simplified these, and have solutions to match the needs across all the requirements.

While people who participate in storing, processing, or transmitting cardholder data are part of the CDE, when implementing segmentation for PCI DSS scoping, these people do not have to be segmented or isolated from people who are outside of the CDE.

This is because the processes and technologies put in place to implement and maintain the segmentation also ensure that people in the CDE are the only ones with the requisite access.

Partnering with VGS

When customers partner with VGS, we provide them with a Responsibility Matrix, along with the breakdown and impact of the changes. This approach allows customers to establish a clear-cut plan internally, identify who is doing what by when, and leverage VGS expertise to minimize the compliance burden.

VGS provides PCI Compliance subscriptions and access to our knowledgeable list of preferred QSAs to perform an Audit, provide an AOC, and reissue an SAQ annually. VGS can also work with your preferred QSAs.

What are my next steps?

• Understand your organization's scope and team priorities to see if you have the time and resources needed to do this in-house by your annual assessment deadline.
• Plan out the most efficient way to meet the PCI DSS 4.0 requirements now and every quarter forward
• Contact us to see how we can help with your PCI compliance needs and prepare you for v.4.0.

PCI DSS 4.0 can feel daunting, but it doesn't have to be. The VGS Vault securely stores payment data, enabling organizations to descope their environments and fortify their security posture. We ensure that customers are confidently and constantly on top of changing PCI-DSS requirements, including for 4.0. Plus, we can recommend QSAs or work with your existing QSA to ensure a successful PCI audit that protects your data according to the latest regulations.

Read more about PCI Compliance with VGS here.

Ready to learn more? Contact Us here. 

Resources

1. https://stripe.com/guides/pci-compliance
2. https://pcidssguide.com/what-are-pci-service-provider-compliance-levels/