01-26-21 | Blog Post

PCI DSS 4.0 and Cloud Services

Blog Posts

Although not yet finalized, early RFC drafts previewed by the PCI Security Standards Council indicate that while the 12 core PCI DSS requirements will remain the same, it is suggested that PCI DSS 4.0 will contain  these updates:

  • New requirements: New and revised requirements to address evolving risks and threats to payment data and to reinforce security as a continuous process;
  • New focus on security objectives: Requirements and validation options are redesigned to focus on security objectives to support organizations using different methodologies to meet the intent of PCI DSS requirements.

Changes for Cloud Providers?

PCI DSS has historically considered all technologies, but the PCI DSS Security Standards Council suggests that PCI DSS 4.0 will “further [support] the use of different technologies, such as cloud, by introducing more flexibility to the wording of requirements and adding intent statements.” PCI DSS 4.0 is also anticipated to provide new guidance and considerations for specific technologies like cloud via an appendix to 4.0 which will clarify the roles and expectations for cloud providers. This expanded guidance regarding new technologies and cloud is expected as a response to increasing cybercrime threats against the payment card industry and to ensure PCI compliance end to end.

Additional Impacts of PCI DSS 4.0

While the 12 core PCI DSS requirements will remain, there is a suggestion that organizations will have new flexibility to create their own bespoke controls in alignment with the revised standards. It should be expected that this flexibility will need to be design documented and meet compliance testing requirements. Organizations should consider that PCI DSS 4.0 may enhance or change requirements for monitoring, authentication, encryption, testing and assessment, and access. Perhaps one of the more forward-looking impacts of PCI DSS 4.0 is identifying budget requirements for implementation. While precise guidance as to budget expectations can’t be determined today, the finalization of PCI DSS 4.0 standards should provide an ample window for budget development.  It is frequently mentioned that the best way to prepare for PCI DSS 4.0 tomorrow, is to assure 100% compliance with PCI DSS V3.2.1 today. Watch this space for additional updates on PCI DSS 4.0.

Payment protection you can trust

Protecting digital cardholder data requires adherence to all of the PCI DSS data security standards and at Otava, we’re sure to stay current with the requirements for PCI DSS 4.0. Otava undergoes annual, independent auditing against all of the PCI DSS protocols required for Level 1 compliance to maintain placement on VISA’s list of approved vendors. We’ll make it easy to stay up to date with patches, and give you options for encrypted cloud backup with real disaster recovery capabilities. Whether you’re running your applications in the cloud or on collocated servers, don’t take chances on a data breach of cardholder information.

Penalties for non-compliance and losing consumer trust are never good outcomes. That’s why there’s no substitute for proactive diligence.  We’re here to be your watchdogs.

Additional Information

PCI Compliant Clouds

Cardholder and other sensitive data can be secure in the cloud – and more highly available – especially when you know the physical location of your data and have evidence of the appropriate safeguards in place.

PCI Compliant Colocation

If you already own servers, elect to manage them yourself, or need a viable compliant and secure offsite backup and disaster recovery location, that’s right in our wheelhouse.

PCI Compliant Disaster Recovery and Backup

Otava’s PCI-compliant recovery sites keep your core systems fully tested, managed and protected.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved