Although not yet finalized, early RFC drafts previewed by the PCI Security Standards Council indicate that while the 12 core PCI DSS requirements will remain the same, it is suggested that PCI DSS 4.0 will contain these updates:
Changes for Cloud Providers?
PCI DSS has historically considered all technologies, but the PCI DSS Security Standards Council suggests that PCI DSS 4.0 will “further [support] the use of different technologies, such as cloud, by introducing more flexibility to the wording of requirements and adding intent statements.” PCI DSS 4.0 is also anticipated to provide new guidance and considerations for specific technologies like cloud via an appendix to 4.0 which will clarify the roles and expectations for cloud providers. This expanded guidance regarding new technologies and cloud is expected as a response to increasing cybercrime threats against the payment card industry and to ensure PCI compliance end to end.
Additional Impacts of PCI DSS 4.0
While the 12 core PCI DSS requirements will remain, there is a suggestion that organizations will have new flexibility to create their own bespoke controls in alignment with the revised standards. It should be expected that this flexibility will need to be design documented and meet compliance testing requirements. Organizations should consider that PCI DSS 4.0 may enhance or change requirements for monitoring, authentication, encryption, testing and assessment, and access. Perhaps one of the more forward-looking impacts of PCI DSS 4.0 is identifying budget requirements for implementation. While precise guidance as to budget expectations can’t be determined today, the finalization of PCI DSS 4.0 standards should provide an ample window for budget development. It is frequently mentioned that the best way to prepare for PCI DSS 4.0 tomorrow, is to assure 100% compliance with PCI DSS V3.2.1 today. Watch this space for additional updates on PCI DSS 4.0.
Payment protection you can trust
Protecting digital cardholder data requires adherence to all of the PCI DSS data security standards and at Otava, we’re sure to stay current with the requirements for PCI DSS 4.0. Otava undergoes annual, independent auditing against all of the PCI DSS protocols required for Level 1 compliance to maintain placement on VISA’s list of approved vendors. We’ll make it easy to stay up to date with patches, and give you options for encrypted cloud backup with real disaster recovery capabilities. Whether you’re running your applications in the cloud or on collocated servers, don’t take chances on a data breach of cardholder information.
Penalties for non-compliance and losing consumer trust are never good outcomes. That’s why there’s no substitute for proactive diligence. We’re here to be your watchdogs.
Cardholder and other sensitive data can be secure in the cloud – and more highly available – especially when you know the physical location of your data and have evidence of the appropriate safeguards in place.
If you already own servers, elect to manage them yourself, or need a viable compliant and secure offsite backup and disaster recovery location, that’s right in our wheelhouse.
Otava’s PCI-compliant recovery sites keep your core systems fully tested, managed and protected.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.