-
Major changes introduced by PCI DSS v4.0 include enhanced validation methods and procedures, which evolved from a defined-only approach to include an objective-based customized approach. The PCI SSC announced the plan to introduce these enhanced validation methods and procedures into PCI DSS v4.0 at the 2019 Community Meetings.
The traditional defined approach is the familiar method where required security controls must be implemented when applicable. Requirements need to be met in a very specific manner and validated, sometimes regardless of the actual control outcome, such as whether or not the control system in question is actually effective and sustainable. This method for validating PCI DSS won’t be going away with v4.0. But the new customized approach allows organizations to use security methods that differ from traditional PCI DSS requirements, as long as they can demonstrate that they meet the intent of the relevant PCI DSS requirements and can validate its effectiveness.
Within a PCI DSS compliance assessment, organizations can choose either or both of the approaches on any of the key requirements. For example, PCI DSS v4.0 allows organizations to take a hybrid approach: They are allowed to meet some requirements by following the defined approach and other requirements by following the customized approach. Even within a single DSS requirement, the defined approach and customized approach can be split to meet different aspects of the requirement, as long as the organization meets the security objective of the requirement. However, be aware that some requirements explicitly cannot be met using the customized approach.
The defined approach
The defined implementation refers to the existing traditional approach to security control implementation and compliance validation that has existed since the introduction of the PCI Standard. The sets of requirements, controls and test procedures are fairly prescriptive. The PCI Standard includes descriptions of the controls that need to be in place and how the validation testing procedures should be met.
The defined approach simply means that organizations follow the current requirements and familiar testing procedures as written in the PCI DSS. This approach remains valid. All organizations can continue to benefit from its prescriptive directions. Many organizations may not see any need to follow a customized approach to meet the control objectives.
Enhanced validation methods and procedures
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- Charting the best strategic method for your organization
- Optimizing limited resources by strengthening the weakest link
- Goals: The security and compliance rudder
- The Security Management Canvas
- Requirements: The security and compliance hull
- Preparing for PCI DSS v4.0
- Enhanced Validation Methods and Procedures
- Continuous monitoring internal assessments and validation
- The three stages of PCI DSS compliance program failure
- PCI DSS v4.0 Navigational Points
- Constraints the Security and Compliance Shoal
- 7 Constraints of Organizational Proficiency (the 7 Cs)
- The Five Focusing Steps in Brief
- The State of Compliance
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
The customized approach
The customized implementation allows organizations to follow a tailored process to custom-design security controls or adopt other controls outside of the familiar defined list of requirements. This new approach of validating PCI DSS controls focuses on an outcome-based approach, rather than a must-implement-based one. As mentioned earlier, all customized controls must still meet the stated security objective of the requirement.
Requirements and validation options in PCI DSS v4.0 focus on security objectives and support organizations using different methodologies to meet the intent of PCI DSS requirements. The PCI Standard includes objective statements that clearly identify the security outcomes that customized implementations must meet. The control intent statements specify and clarify what needs to be achieved, with greater flexibility in how the organization completes the desired security outcomes.
The customized approach’s greater flexibility allows for implementation of security solutions and technologies that don’t require waiting for the PCI DSS to catch up. Validation methods focus more on specific security outcomes, giving organizations the ability to prove the effectiveness of their approach.
A customized approach typically requires additional documentation effort for:
- Control design, with evidence that it meets the control objective and intent
- Internal control testing
- Control risk
- Control performance
- Control effectiveness
- Control maintenance
- External control compliance validation testing procedures
-
This alternate approach allows organizations to customize their approach and develop security controls by meeting several criteria:
- Determine the controls for a given security objective
- Submit detailed documentation to the QSA, outlining the approach to achieve compliance and demonstrate the effectiveness of the approach
- After the QSA reviews the evidence, the QSA makes a final decision on the effectiveness of the control, based on the analysis of the documentation submitted
The impact of a customized approach
Customizing security controls should be done in a very structured way that delivers measurable and predictable outcomes.
Organizations with mature control environments are more likely to embrace the new customized validation approach with confidence. They should also find it easier to rewrite how their systems can be tested to validate how they meet the latest PCI DSS requirements.
The new validation method will likely result, at least initially, in additional assessment work for organizations to develop and prepare documentation, control design, evaluations and risk assessment data that a QSA will need to evaluate.
Although this new validation approach offers more flexibility in how the PCI DSS 12 Key Requirements can be met, there’s an explicit expectation that organizations ensure that each of their customized implementations of PCI DSS requirements meet respective control objectives and fulfill the intent.
As such, a customized approach requires adopting a robust method of designing and managing security controls and maintaining the control environment. It requires higher levels of process and capability maturity of control design, control risk evaluation, control implementation and monitoring.
Organizations need to collaborate with the QSA or Internal Security Assessor (ISA) to agree on and develop tailored testing procedures. Some organizations are likely to experience unintended consequences from the design and implementation of their customized controls. It’s critical to be aware of blind spots and seek out cause-andeffect relationships between controls, control systems and the control environment. You need to understand your capability and competency to design, implement, maintain and monitor customized controls, as well as your capacity to maintain all the requirements associated with your approach. The new alternative approach may not be for everyone. It’s best suited for organizations with fairly mature security, compliance and risk assessment processes in place.
When choosing to follow the customized approach, organizations that don’t have a robust control environment backed by reasonably mature compliance management processes and capabilities are advised to improve their level of maturity and implement changes in small, incremental steps. This avoids making changes to substantial portions of the control environment, which can lead to unintended consequences— a range of good, mixed and bad unexpected outcomes.
For an overview of capability maturity and metrics, revisit the Verizon 2019 Payment Security Report, pages 21 to 29.44
The new alternative approach may not be for everyone. It’s best suited for organizations with fairly mature security, compliance and risk assessment processes in place.
-
-
Examples of unintended consequences
Unintended benefit: The creation of emailDescribed as windfalls, good fortune, luck or serendipity, unintended benefits result from an unexpected positive outcome in which no significant, clear-cut drawback or perverse result occurs. For example, when the internet was first designed, email programs were never intended to become extensive communications channels. However, their extreme popularity, practicality and ability to be sustained definitely pegs this innovation as an unintended benefit.
Unintended drawback: LED traffic lights
The world’s first electric traffic signal was put into place in Cleveland, Ohio, on August 5, 1914.45 Today, traffic lights are one of the most common and effective traffic-control tools available. But they can also cause accidents when they go out.
Recently, cities around the globe sought to increase the energy efficiency of traffic lights by switching from incandescent bulbs to long-lasting light-emitting diode (LED) bulbs, only to discover a new set of problems. It’s an apt example of how proposed changes to controls should be carefully studied; environmental factors must be taken into account to uncover unintended consequences.
Local and state governments in the U.S. began replacing incandescent traffic-signal light bulbs with LED lighting in response to the United States Energy Policy Act of 2005 minimum standards for energy efficiency for traffic and pedestrian lights. While the efficient and longer-lasting LED bulbs improved energy costs by 90%, when incandescent bulbs burn out, they go out completely without warning. On the other hand, LEDs often go out in parts, leaving part of the string of LEDs inside the traffic light operative and emitting light. Drivers then alert the authorities, who send out a crew to replace the failing light.
However, since LED lights don’t emit heat, they don’t melt snow the way incandescent light bulbs do. The changing directional lights can become obscured with snow and ice buildup, according to a 2014 U.S. Department of Transportation Federal Highway Administration study. Partial or complete covering of the signal with snow and ice resulted in at least one fatality and numerous vehicular accidents. Drivers unfamiliar with an intersection may not notice the covered lights, which can lead to potentially devastating collisions.
Efforts were made to address the problem by installing weather shields and snow scoops to reduce or resolve accumulation. Some city workers also used compression air devices to blow the snow off and manually scraped the lights. Local and state governments argued that drivers should respond to such obstructed LED lights in the same way they do for a power outage—by treating the traffic signal as a four-way stop.46 While some might argue that the environmental and energy-saving benefits outweighed the unintended drawbacks, the main purpose of the LED lights was to protect human lives and avoid accidents. Therefore, the LED lights also could be viewed as having a perverse result.
Unintended drawback/perverse result: Passenger-side airbags
Sometimes an unintended consequence crosses over and cannot be clearly identified as either a benefit, drawback or perverse result. An example is passenger-side airbags created as a safety device in cars in the mid-1990s. The devices inadvertently led to an increase in child injuries and fatalities. When the air bags automatically deployed in a crash, small children were injured or killed from the impact. Child seats were then moved to the backseat of the vehicle to avert this outcome, but that led to an increase in the number of children being left unattended in extreme temperature conditions. While passenger-side airbags definitively save lives, the perverse result on small children cannot be ignored.47
Perverse result: The cobra effect
Colonial Delhi, India, was suffering from a proliferation of cobras, so the local government placed a bounty on them. Ironically, this resulted in an increase in the species. As the cobra population fell, people started raising cobras in their homes, which they would then kill to collect the bounty.
Local authorities eventually realized that while very few cobras were evident in the city, a bounty was still being paid on large numbers of snakes. So, they canceled the bounty. In response, the people raising cobras in their homes released all of their now-valueless cobras back into the streets. In the end, Delhi had a bigger cobra problem after the bounty ended than it had before it began. The unintended consequence of the cobra eradication plan was an increase in the number of cobras.48
-
44 2019 Payment Security Report, Verizon, 2019. https://enterprise.verizon.com/en-au/resources/reports/payment-security/.
45 “First electric traffic signal installed,” History.com, Nov 2009, https://www.history.com/this-day-in-history/first-electric-traffic-signal-installed.
46 David Noyce, “Traffic Signal LED Module Specification Workshop and Informational Report for Snow Conditions,” U.S. Department of Transportation, Federal Highway Administration, Jan 2014, https://ops.fhwa.dot.gov/publications/fhwahop13010/index.htm.
47 “Airbag,” Wikipedia. https://en.wikipedia.org/wiki/Airbag.
48 Antony Davies and James R. Harrigan, “The Cobra Effect: Lessons in Unintended Consequences,” Foundation for Economic Education, Sep 6, 2019, https://fee.org/articles/the-cobra-effect-lessons-in-unintended-consequences/.