With the publication of PCI DSS v4.0.1, at the latest, the requirements introduced with version 4.0 of the credit card data security standard are yesterday's news - or so one would think. After all, many PCI DSS v4.0 assessments have already been carried out in the past year. However, a significant proportion of the new requirements - 52 in total - are "future-dated requirements" that will not become mandatory until March 31, 2025. This means that companies pursuing a certification will once again be entering a hot implementation phase. Read here to find out why you should not underestimate the implementation effort for the future-dated requirements, which of them could cause you headaches and how best to approach their implementation.
Future-dated requirements: preparation
The 52 future-dated requirements of PCI DSS v4.0.1 can be divided into two categories:
Procedural requirements concerning, for example, security guidelines, processes, incident response plans, risk analyses or awareness training
Technical requirements concerning, for example, the encryption of credit card data, access controls, secure network configuration, logging, monitoring or vulnerability management
What is the best way to prepare for meeting the future-dated requirements? We recommend the following steps:
1. Confirm scope and understand requirements: Check which future-dated requirements apply to your environment and what impact they will have on your systems, your processes and your compliance status.
2. Develop a compliance plan: Carry out a gap analysis to identify deviations from the PCI DSS requirements in your environment. Derive from this what changes and adjustments you need to make to your environment. Finally, create a detailed action plan containing the individual steps, milestones, required resources and responsibilities.
3. Implement changes: Implement the steps defined in your action plan. Check whether you need to upgrade or replace any systems, for example, or whether you need to adapt guidelines and train employees accordingly.
4. Check whether the changes made are working and effective. You can do this with the help of internal resources. However, for an optimal assessment preparation, especially in more complex environments, it is advisable to commission an external and independent party for such an assessment.
5. Monitor the implemented future-dated requirements: Regular reviews throughout the year will help you to maintain your compliance status and uncover potential vulnerabilities as quickly as possible. Develop communication plans with all stakeholders, such as management, your IT department and third-party providers. This will allow you to gather feedback on vulnerabilities and areas for improvement. Document all changes and checks and maintain your documentation for increased transparency and in preparation for your actual assessment.
6. Stay up to date: PCI SSC updates: Check back regularly for updates and guidance from the PCI Security Standards Council (PCI SSC). Learn about industry best practices and be aware of new security threats that may impact your compliance efforts.
Future-dated requirements: It's these nine you should look out for
In our experience, some future-dated requirements require more effort to implement than others. We will take a closer look at nine future-dated requirements for which we expect a medium or high implementation effort for most companies. Please note that not all of these nine requirements necessarily apply to your environment. Therefore, as described in the section "Future-dated requirements: preparation", first review which of the requirements apply to your company.
Overview
| Req. | Topic | Effort | ||
| 3.5.1.1 | Use of keyed cryptographic hashing | High | ||
| 6.4.3 11.6.1 | Prevent and detect web-skimming attacks | Medium / High | ||
| 7.2.5 7.2.5.1 8.3.2 8.6.1-3 10.2.1.2 | Handling of technical accounts | High | ||
| 3.5.1.2 | Disk encryption no longer sufficient | High | ||
| 3.4.2 | Prevention of PAN copying when using remote-access technologies | Medium | ||
| 8.4.2 | MFA for all non-console CDE access | Medium | ||
| 11.3.1.1 | Other applicable vulnerabilities (those not ranked as high-risk or critical per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed | Medium | ||
| 11.3.1.2 | Internal vulnerability scans must be authenticated scans | Medium | ||
| 12.3.1 | Targeted risk analysis: Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis | Medium | ||
Tipps and best practices
Does your company have to fulfill some or all of the listed future-dated requirements? To make implementation easier for you, we have some tips and best practices for the individual requirements:
Keyed Cryptographic Hashes
Identify all scenarios / contexts in which PAN hashes are currently used. Evaluate the need for PAN hashes and make sure that you really only store them when absolutely necessary.
Key management procedures require regular rotation of the hashing key. This leads to different hash values for one and the same PAN. Depending on the usage scenario, this can disrupt certain functions or require adjustments to the implementation.
The Customized Approach can now be used to meet this requirement with PCI 4.0.1 and could be an alternative to implementing this requirement.
Prevent and detect web skimming attacks
Identify all payment pages on which an iFrame is used. Payment pages that are implemented via redirect do not fall under this requirement.
Subresource Integrity (SRI) and Content Security Policy (CSP) can be used as a self-developed approach. Alternatively, there are commercial solutions for managing and securing the scripts on the payment pages that are PCI DSS compliant.
Handling of technical accounts
Identify all technical accounts on all system components that fall within the scope of the PCI DSS. Check the necessity of these accounts. Check where the passwords/phrases for these accounts are stored in plain text.
Configure the technical accounts (if possible) without the option of interactive login. Use a commercial PAM solution to manage passwords in cases where interactive login is required for technical accounts. This guarantees accountability and traceability.
Disk encryption no longer sufficient
Identify which applications rely on disk encryption to protect cardholder data. Evaluate the best alternative encryption solution for each scenario.
The following solutions are available as an alternative to hard disk encryption:
- Tokenisierung
- Application encryption
- Database encryption
- Dedicated data security solution
Prevention of PAN copying when using remote access technologies
Determine the way in which users can access your Cardholder Data Environment (CDE) remotely. Check the options for restricting the copying of data via the remote access solution.
- Access to web applications is not considered "remote access" and this requirement does not apply to this scenario.
- There may be certain groups of users who have a legitimate business need to download PANs to their local devices. The solution implemented to prevent the copying of PANs via remote access technology must be able to differentiate between these users and others.
Multi-factor authentication for all non-console access to the CDE
Identify all user acccess (non-administrative) to the CDE systems and applications. Check whether multi-factor authentication (MFA) is already in place.
- This requirement also applies to customers if they have access to CDE systems or applications.
- Consider reusing existing MFA solutions for other user groups and customers.
- Customization of a central gateway that implements MFA for all CDE access is a good practice.
Changes to vulnerability management and vulnerability scans
Check your current scanning solution for options for authenticated scanning. This could also be agent-based.
- If network-based scanning is used, the credentials for the technical accounts used must be managed securely.
- Authenticated scans can lead to more findings. Combined with the requirement to handle low and medium findings, this can lead to a significantly higher workload for vulnerability management.
Targeted risk analysis
The new targeted risk analyses replace the company-wide risk management processes required in earlier versions of the PCI DSS. Learn more on the concept of the targeted risk analysis and get tips for its implementation here.
Outlook
Regardless of how many future-dated requirements you have to implement in your company due to your scope: With thorough preparation, you are well positioned to master this challenge too. Here is a summary of the most important steps:
Prioritize
Review your environment and its current status using a gap analysis to determine what changes are required to meet future-dated requirements.
Action plan & milestones
Develop a detailed action plan outlining the steps required to address the deviations found, including timelines, resources and responsibilities.
Test and validate
Carry out internal tests to ensure that all changes are effective and meet the new requirements.
In June, our colleague and PCI expert Nur Ahmad held a webinar on future-dated requirements. You can view the recording here.
Do you need help preparing for or implementing future-dated requirements in your company? Get in touch - our experts are happy to help.
