This has been a very strange year overall, with the effects of COVID-19 causing both massive disruption and having the potential to cast a very long shadow. However, for those of us in the payments space business has continued, and there have been some some milestones in the PCI world.
Perhaps the biggest direct impact to PCI DSS from the COVID-19 pandemic is the move to fully remote assessments. The previous requirement for PCI DSS was that assessments had to be conducted onsite – in fact the standard AOC template for higher level assessments is called the “Attestation of Compliance for Onsite Assessments”.
This onsite component was typically dealt with by QSACs sending their personnel to client sites for a part of the assessment, but not for the full engagement. This allowed for inspection of physical security controls, and in-person interviews with key staff.
Clearly that is no longer a safe option, for either client or QSAC personnel. The PCI Council, to their credit, quickly released guidance permitting fully remote assessments for the duration of the pandemic as early as March 11th. Beyond this, the PCI Council are maintaining their own COVID-19 resource site on an ongoing basis, making it easy for QSACs and compliant entities to find the latest guidance covering their business.
Each individual QSAC still needed to figure out how to operationalize that guidance, but creative solutions such as virtual facility walkthroughs on Skype or Zoom have become the norm.
Frankly this is one where I would be quite happy for this to continue post-COVID, rather than a return to the previous onsite assessment regimen.
These have been known about for some time, with the deprecation of the PCI Payment Application DSS. But in 2020 the first QSACs were certified as being able to conduct assessments under the new standards, completing the process. Over the next couple of years we will get to see how wide the adoption of these standards is, and whether they are more of a success in the market than the preceeding PA-DSS.
PCI DSS Version 4 Draft
One final big PCI milestone in 2020 was the release for feedback of the second draft of PCI DSS v4.0. For over 5 years the PCI DSS world has been somewhat stagnant, with changes limited to minor tweaks and revisions to version 3. While Version 4 remains under NDA, what is publicly known points to significant changes.
In particular, potential moves towards allowing a custom, per-organization and risk-based approach are to be applauded. It’s not realistic to think that a mom-and-pop corner store and a major international grocery chain like Safeway face the same threats, and a “one size fits all” security standard is unlikely to serve both their needs well.