Security Experts On PCI DSS 4.0 Released

By   ISBuzz Team
Writer , Information Security Buzz | Apr 01, 2022 02:54 am PST

Following the news that – The PCI Council has released the latest update to the PCI Data Security Standard today (March 31).

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
April 1, 2022 10:54 am

The PCI DSS is a standard with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards have to be updated to address those changes. The last update to the PCI DSS was in 2018, and the world has certainly changed since then.

The v4.0 updates to the standard don’t immediately come into effect for all organizations. The PCI Council future-dates many of the new requirements out to 2025, labeling them as best practices until then. While this transition period provides organizations with time to adapt to new requirements, it also leaves room for greater risk through that transition period. Determining the appropriate implementation time frame for new compliance requirements is a balancing act that simply can’t make every stakeholder happy. It would be ideal if most organizations moved to the best practices before they’re required.

Any additional emphasis on securely configuring systems is a welcome addition to cybersecurity best practices. While the previous version of the PCI DSS addressed secure configuration, it unfortunately focused on changing vendor-supplied default passwords. Secure configuration management goes well beyond vendor-supplied passwords, and it’s great to see the new version of the standard take a more expansive approach to the requirement.

Zero Trust Architecture has grown in adoption since the previous version of the PCI DSS was released in 2018. The new version of the standard makes room for Zero Trust approaches to authentication and authorization with allowances for “dynamically analyzed” security posture as a mechanism for providing “real-time access to resources” as an alternative to rotating passwords. Keeping up to date with best practices in cybersecurity is important in order to avoid organizations downgrading security in order to maintain compliance.

Last edited 1 year ago by Tim Erlin

Recent Posts

Would love your thoughts, please comment.x