2020: The year in PCI DSS Compliance

This has been a very strange year overall. The effects of COVID-19 caused both massive disruption and have the potential to cast a long shadow. However, for those of us in the payments space business has continued, and there have been milestones in the PCI world.

Remote Assessments

Perhaps the biggest direct impact to PCI DSS from the COVID-19 pandemic is the move to fully remote assessments. The previous requirement for PCI DSS was that assessments had to be conducted onsite – in fact the standard AOC template for higher level assessments is called the “Attestation of Compliance for Onsite Assessments”.

Historically the onsite requirement was typically dealt with by QSACs sending their personnel to client sites for a part of the assessment. This allowed for inspection of physical security controls, and in-person interviews with key staff. They did not stay for the full engagement.

Clearly having any component on site is no longer a safe option, for either client or QSAC personnel. The PCI Council, to their credit, quickly released guidance permitting fully remote assessments for the duration of the pandemic as early as March 11th. Beyond this, the PCI Council are maintaining their own COVID-19 resource site on an ongoing basis, making it easy for QSACs and compliant entities to find the latest guidance covering their business.

Each individual QSAC still needed to figure out how to operationalize that guidance, but creative solutions such as virtual facility walkthroughs on Skype or Zoom have become the norm.

Frankly this is one where I would be quite happy for this to continue post-COVID, rather than a return to the previous onsite assessment regimen.

Software Security

Despite the disruption, 2020 gave us two new fully operational PCI standards: the Secure Software Standard, and the Secure SLC Standard, under the Secure Software Framework.

These have been known about for some time, with the deprecation of the PCI Payment Application DSS. But in 2020 the first QSACs were certified as being able to conduct assessments under the new standards, completing the process. Over the next couple of years we will get to see how wide the adoption of these standards is, and whether they are more of a success in the market than the preceeding PA-DSS.

PCI DSS Version 4 Draft

One final big PCI milestone in 2020 was the release for feedback of the second draft of PCI DSS v4.0. For over 5 years the PCI DSS world has been somewhat stagnant, with changes limited to minor tweaks and revisions to version 3. While Version 4 remains under NDA, what is publicly known points to significant changes.

In particular, potential moves towards allowing a custom, per-organization and risk-based approach are to be applauded. It’s not realistic to think that a mom-and-pop corner store and a major international grocery chain like Safeway face the same threats, and a “one size fits all” security standard is unlikely to serve both their needs well.