Tuesday, October 20, 2020
PCI SSC executive director Lance Johnson noted that recent challenges deepened the council’s resolve to support the industry. “While many of the challenges we experienced have been new and different, the council’s mission remains the same: to support the needs of the global payments industry and enhance global payment account data security,” he said.
Troy Leach, senior vice president, engagement officer for market intelligence and stakeholder engagement at the PCI SSC, thanked payments industry stakeholders and members for helping the council evolve the PCI DSS. “Collaboration from the industry helps PCI SSC ensure that our security standards continue to meet the changing needs of the industry,” he said. “The standards are updated to address emerging payment channels, the changing threat landscape and to increase standards alignment within the industry.”
Leach additionally noted that the council received more than 3,200 responses to its latest Request for Comments (RFC) on PCI DSS v4.0 draft. This exceeded all previous feedback to a PCI SSC RFC. Forty percent of participating organizations' feedback came from merchants, and the council has extended its traditional six-week RFC period, he stated. A second RFC, opened Sept. 23, will give organizations until Nov. 13 to review and comment.
“Because PCI DSS v4.0 is currently in draft form and open to industry comment, it’s too early for us to speculate on what the final changes to the standard will look like,” Leach said. “What we know is that the current PCI DSS v4.0 draft proposes a new customized approach that could provide organizations more flexibility for meeting the security objectives of PCI DSS requirements if they have a mature risk model that has adapted sophisticated controls to address the intent.”
The proposed new approach for meeting PCI DSS requirements focuses on security objectives, Leach noted, emphasizing that this approach requires robust and mature risk management practices. Proposed changes to authentication in the new standard will be influenced by industry feedback and consider how different authentication methods and practices are being used as technology evolves, he said.
Leach acknowledged that recent months have been challenging across the board for payments and encouraged industry stakeholders to visit the PCI SSC’s COVID-19 web page, which is frequently updated with tips on maintaining compliance during and after the global pandemic.
“The council created a COVID-19 web page dedicated to resources to help the industry during this time,” Leach said. “Topics ranging from how to perform remote assessment securely, to adjusting deadlines based on various industry challenges to guidance for small merchants on how to move from a brick and mortar presence to ecommerce in a secure manner.”
Leach mentioned that cybercriminals are preying on people’s concerns by creating malicious COVID-related URLs and expanding phishing attacks on new remote workers. Organizations must remain diligent and mindful of risks, he stated, adding that it’s imperative to view security as a 24/7 activity and be cautious when clicking links.
Leach advised organizations to use PCI SSC online training programs to educate employees and to ask managed service providers how the pandemic has affected development efforts, production and deployment. The council has prepared several questionnaires for third-party service providers that are even more relevant now, he stated.
For more information on the PCI SSC’s RFC process and current RFCs, visit www.pcisecuritystandards.org/get_involved/request_for_comments .
For more information about all PCI Council efforts and activities, including how your organization can participate, visit www.pcisecuritystandards.org/get_involved . 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
