The North American PCI Community Meeting has wrapped up after 3 days in Toronto, Canada. By far the most celebrated takeaway was being physically present after 2-3 years of virtual conferences. It was great to finally get together, catch up with clients and industry peers, share a drink with colleagues, and discuss the latest challenges facing the PCI community.
Presentations covered numerous topics, including general cyber threats and high-level overviews of PCI DSS 4.0.
For those that could not make it to the PCI Community Meeting, our team has compiled a list of four key takeaways and themes that were consistently discussed throughout all of the presentations. These include:
- Do not wait until 2025 to transition to PCI-DSS 4.0.
- PCI-DSS 4.0 is still being refined, the PCI Security Standards Council (PCI-SSC) is open to any and all feedback.
- Service Providers are currently a primary target for compromise
- E-commerce Payment Pages must be protected
Let’s review these in more detail.
1. PCI-DSS 4.0 Countdown – 2 Years, 6 Months and Counting
Per statements made within our PCI DSS 4.0 Transition Plan, organizations cannot afford to wait on planning and implementation of PCI-DSS controls. For some organizations, the migration to PCI-DSS 4.0 may be relatively easy; however, larger organizations may need to reconfigure their network, purchase new hardware and software, and assign resources to document and implement new controls. Efforts to migrate to PCI-DSS 4.0 will take time. Intersec has already begun to assess organizations using the PCI-DSS 4.0 standard with the intent of providing a list of control failures organizations will need to work on.
2. PCI-SSC – Feedback is Encouraged
The council appears to recognize that some of the proposed changes and statements in the PCI-DSS 4.0 and related SAQ’s and reporting requirements represent significant challenges to organizations implementing the PCI-DSS 4.0 and QSAs/ISAs that must assert compliance or non-compliance with the new standard.
Unfortunately, specific details related to new controls or interpretation of the controls were not directly discussed; however, the council made clear that they are willing to listen and that the standard will be undergoing refinement as feedback is received and acknowledged.
One clear change which will likely happen sooner rather than later is the concept of “In-Place with Remediation”. This concept was initially introduced to add transparency to assessments and to note control failures found by QSA’s. QSA’s will always find minor issues from year to year—which typically involves changes in interpretation from one year to the next due to changes in the threat landscape; these changes end up being marked “In-Place” after remediation in the final report. The PCI assessment process has always been considered “Point-In-Time” even though controls must be validated over time such as quarterly reporting.
The primary concern of QSA’s and Participating Organizations alike is that since the beginning of PCI, service providers were required to include acknowledgment of shared cardholder data and a commitment to maintaining compliance with PCI-DSS. Having a statement in an RoC suggesting they were not compliant for a period of time, represented a legal liability.
3. Service Providers Are Under Attack!
Based on the tone of the presentations and discussions with the card brands, service providers are now a prime target. This is natural given that a single successful attack could provide access to hundreds of merchants who use the service provider. The brands will be pressing merchants and the financial institutions responsible for a given merchant’s payments to ensure service providers are registered and compliant.
Service Providers who suggest they are “Not in Scope” and therefore not subject to PCI-DSS may quickly find themselves losing clients to service providers who have invested in PCI-DSS 4.0 compliance. This includes but is not limited to, e-commerce providers, hosting providers, marketing firms responsible for web development, and potentially managed security providers. Mastercard, for example, is strongly recommending that Service Providers complete a Designated Entities Supplemental Validation (DESV) in addition to a ROC (Level 1) or SAQ D(Level 2). [1]
[1] mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/service-providers-need-to-know.html
4. E-commerce Payment Pages Must Be Protected
Finally, the council appears to have acknowledged that merchants embedding third-party I-Frames and Javascript into payment pages are at risk. The PCI-DSS 4.0 and related SAQ-A now include controls that require merchants to protect payment pages, maintain an inventory of scripts running on payment pages, and alert merchant personnel in the event a script content changes or appears malicious.
This is somewhat of a significant change as it brings web servers into scope, which previously may have been descoped based on the notion that they do not store, process, or transmit cardholder data.
This will likely have a greater impact on service providers providing hosted shopping carts or payment pages as well. Priority 10 within the Intersec PCI 4.0 Transition Plan describes the controls merchants should be implementing to address this threat and meet PCI 4.0 compliance.
If your organization is starting to think about a PCI 4.0 transition plan, let our experience guide you!
The QSAs of Intersec Worldwide dissected and analyzed the PCI-Data Security Standard (PCI-DSS) version 4.0 standard to identify transitional impacts on our clients’ compliance programs.
We not only share our findings, but we outline 26 key priorities step-by-step to help your organization get on track with the new standard. View the PCI 4.0 transition plan now and download a free copy of our findings!
