Blog Post
A guide to PCI DSS v4.0 compliance for payment service providers
As more organizations outsource their payments processes to payment service providers (PSPs), reducing their compliance liabilities against standards such as PCI DSS v4.0, the role of PSPs in the payments ecosystem continues to expand.
A new version of PCI DSS comes into force from March 31, bringing with it a raft of changes for merchants and service providers alike. For PSPs, these changes are far-reaching, as a majority of updated and newly introduced controls will apply.
In this post, we’ll explore what the latest PCI DSS changes mean for PSPs. We’ll explain the new scope revalidation controls and how evidence-based data discovery methods support the scoping process. We’ll also look at how data discovery can support sustainable compliance across the new standard and provide a five-step guide on how you can prepare.
Introducing PCI DSS v4.0 — What you need to know
The Payment Card Industry Data Security Standard (PCI DSS) sets strict standards for cybersecurity that service providers must meet. Most PSPs will need to comply as Level 1 Service Providers, requiring an annual QSA-led assessment against the full set of PCI DSS controls.
PCI DSS v4.0 comes into force from March 31 this year. With expansive networks processing significant volumes of cardholder data (CHD), PSPs must be prepared to address the latest updates ahead of the compliance deadline.
Robust Technical Cyber Controls
While merchants can outsource payment processing and account data handling, it’s PSPs that have the responsibility for managing these critical functions on their behalf.
Service providers have up to 64 new controls to meet when PCI DSS v4.0 becomes mandatory later this year. Eight of these can be directly supported with periodic data discovery scanning, and with advanced discovery solutions, remediation-in-place capabilities may help to address issues of non-compliance when these occur, as we’ll explain shortly.
New Scope Revalidation Obligations
Under the new standard, PSPs are required to verify their PCI DSS scope every six months (12.5.2). For PSPs assessed using Designated Entity Supplementary Validation (DESV) controls, this is required every three months. Further scope revalidation is necessary following significant changes to organizational structure (12.5.3)
While scoping has always been a pre-requisite for compliance and annual assessment, this is the first time it has been formalized in the requirements.
Evidence-based data discovery solutions, such as Enterprise Recon, simplify the scope validation process by identifying and verifying:
- All locations of stored account data — advanced discovery tools use context-defined pattern matching to identify data wherever it is stored across on-premise and cloud-based environments. The ability to uncover hidden stores of payments information is crucial to PCI DSS compliance. The latest version of the standard also requires organizations to be able to identify and respond to any unauthorized locations of data, which can be achieved through periodic data discovery scanning.
- Network boundaries of the cardholder data environment (CDE) — Using discovery scanning tools enables organizations to verify the boundaries of their CDE, by confirming that all data stores are located within the defined environment. Discovery scanning that can identify data in volatile memory can also help validate that temporary processing environments are also located within scope boundaries.
- All in-scope assets — using the results of discovery scanning, organizations can verify their in-scope assets based on the locations of account data and data flows, following PCI DSS scoping guidelines.
Data Discovery beyond scoping for PSPs
Across the standard, advanced data discovery tools like Enterprise Recon can support up to 22 controls and sub-controls, as well as five further controls from Appendix A1 and Appendix A3, including eight of the 64 new controls introduced in v4.0 of the standard.
Requirement 1: Install and maintain network security controls | |
1.2.3. 1.2.4. | Data discovery scanning can be used to validate the network boundaries of the CDE, as well as demonstrating that data flows map account data accurately. |
Requirement 3: Protect stored account data | |
3.2.1. 3.3.1. 3.3.2. 3.3.3. 3.4.2. | Data discovery scanning identifies any cardholder data including sensitive authentication data wherever it is stored. Periodic discovery scanning can be used to confirm that data has been deleted when it has exceeded its retention period. Organizations that store sensitive authentication data must be able to verify that it is removed following authentication, or when no longer required. |
Requirement 6: Develop and maintain secure systems and software | |
6.5.2. 6.5.5. | Verifying that a significant change has not impacted scope boundaries, and that CHD is not present in non-production environments is supported by data discovery scanning. |
Requirement 12: Support information security with organizational policies and programs | |
12.4.2. 12.5.1. 12.5.2. 12.5.3. 12.10.7. | Data discovery scanning can be used to confirm that operational procedures involving cardholder data are being followed so CHD remains in the CDE. As part of periodic scope revalidation and following organizational change, data discovery scanning is essential to confirm in-scope systems, network boundaries, data flows and data repositories. Advanced discovery solutions support remediation-in-place for data found in unexpected locations. |
How to prepare: A guide for PSPs
With time running out to comply, here are the five key steps to follow for PCI DSS v4.0 compliance
- Start from what you know
Make sure you are compliant with PCI DSS 3.2.1.
While PCI DSS v4.0 introduces a number of changes, from a security perspective, most of these are an evolution of the previous version of the standard. If you’re compliant with v3.2.1., you will be well on your way to meeting the requirements of version 4.0.
- Uncover your unknown unknowns
Once you’re ready to migrate to PCI DSS v4.0, start with your scope. Revalidate your network boundaries and data storage locations. It may be beneficial to run a data discovery scan of all your network locations — including those outside your existing scope, email and cloud storage — to identify any ‘unknown unknowns’ or unexpected locations of account data.
- Mind the gaps
Now you’ve revalidated your scope and identified any unexpected locations of account data, complete a detailed gap analysis of your environment against the new version of the standard. If you are compliant with v3.2.1. you may be able to focus your gap assessment on the updated and new controls in PCI DSS v4.0 but be aware of any other control weaknesses you identify as you complete your review.
- Plan for compliance
With the findings from your gap analysis, establish a remediation plan — an action plan for addressing control gaps. Assign owners and set delivery dates for each action and prioritize those controls that present the greatest risk to your security. If you’re unsure how to prioritize your remediation plan, it might help to refer to the Prioritized Approach for PCI DSS v4.0 published by the PCI SSC.
- Sustain and maintain
The purpose of PCI DSS is not to be a point-in-time set of controls. The assessment is a periodic activity, but compliance is a continuous process. Aim to establish the operation, oversight and management of PCI DSS controls as business-as-usual processes and ensure that there are mechanisms in place to report any control failures or weaknesses as they are identified.
How Ground Labs’ Data Discovery solutions support PCI DSS Compliance
Ground Labs’ award-winning Enterprise Recon PCI is trusted by organizations for its comprehensive card data discovery and remediation-in-place capabilities across the broadest set of platforms including support for cloud and email scanning.
Card Recon Desktop and Server editions offer industry-leading card data discovery designed for small and medium-sized businesses.
To find out more, book a call with one of our experts today.