A Thing
The Green SheetGreen Sheet

Friday, October 29, 2021

Envisioning PCI DSS 4.0 and beyond

The PCI Security Standards Council (PCI SSC) hosted its annual Global Community Forum (GCF), Oct. 26 to 28, 2021, a three-day event that addresses security best practices, emerging threats and pandemic-related challenges. Held virtually, the gathering attracted nearly 3,500 attendees who discussed information security trends and looked ahead to the next iteration of the Payment Card Industry Data Security Standard (PCI DSS), PCI DSS 4.0.

GCF agenda highlights included presentations by Lance J. Johnson, executive director and Lauren Holloway, director of data security standards at the PCI SSC and a keynote address by J.R. Martinez, best-selling author, motivational speaker and wounded U.S. Army veteran.

In opening remarks, Troy Leach, senior vice president, market intelligence and stakeholder engagement at the PCI SSC, commended attendees for ongoing efforts to educate leaders, colleagues and customers on potential risks and adjustments needed to protect sensitive data.

"While we miss opportunities to catch up in person, we've done a good job of staying connected as a community," Leach said. "And we're here to celebrate these connections as we actively engage throughout video presentations by industry experts."

Protecting the payments ecosystem

In a post-conference interview with The Green Sheet, Leach pointed out that the PCI DSS is constantly evolving in response to changing industry trends. Remote assessments, for example, were initially implemented as a stopgap measure during the pandemic but were found to be secure and beneficial and are gaining popularity among security professionals.

"Several years ago, I showed a compass in one of my presentations to demonstrate that PCI is a journey and we want that compass to always be heading north," Leach said. "At times we need to make adjustments to keep us focused on maintaining that northern direction, and we have a lot of different channels for receiving feedback, such as PCI forensic investigators, security assessors and fintechs who are rethinking payment protection and authentication."

Citing three priorities for protecting the payments ecosystem, Leach stated the first thing is being diligent when working in remote environments, the second is staying up to date, and the third is having a clear understanding of the role of third parties in a card data environment and how those third parties potentially influence security.

"Several of our special interest groups have focused on cloud security, and as we lean into these services, we need to understand who owns the risk and how does the environment get isolated and protected from other parties in the same environment?" Leach said, noting that there is a commonality between PCI requirements and other flexible software security frameworks. "I see that as one of our flagship standards going forward because whatever aspect of the payment transaction you're talking about, there's software involved."

Flexible standards, roadmap

Leach further noted that the payment data security standard will not be fully enacted until the first quarter of 2025, giving stakeholders a long runway to implement new requirements after multiple request for comment (RFC) periods. Participating Organizations, Qualified Security Assessors and Approved Scanning Vendors will preview PCI DSS 4.0 in January 2022, followed by public release of the standard in March 2022, he added.

Following are additional conference highlights:

"This week was a great example that no one person has all the answers," Leach said. "Just being able to come together as a global community and have conversations, that we wish had been in person, but even video chats and networking enabled people with different backgrounds to share their experiences." end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing