The new PCI DSS Standard, version 4.0, contains all the steps, best practices, and explanations required for full compliance.  In fact, even an organization that does not process cardholder data could follow the PCI Standard to implement a robust cybersecurity program for any of its important data.

In our series about how the new standard differs from the previous version, we examined some of the most important changes, including some nuanced differences, such as the subtle linguistic modifications that have a broad impact.  As the concluding part of the series, we continue to look at the wider meanings of the new standard.

Glancing Towards Zero Trust

The new standard does not mention zero trust architecture specifically, but it is evident that the Security Standards Council is seeing that as a future consideration. When we look at the changes in how PCI has evolved over the years up to PCI v4.0, we can identify a trend: a departure from specific technical requirements and toward the general concept of overall security. By not defining exactly what “secure” is, leaves us in what appears to be an intentionally orchestrated state of ambiguity. For example, in the new version they really break down facets such as the software side, where, instead of focusing on software security, they now talk about the component-level architecture.

The Council homed in on some important updates about authenticating and authorizing user and system access between different components in an entire solution. It is difficult to deny that this is trending towards this zero-trust topic. That’s been such a prominent focus for the entire cybersecurity industry, at least for the last year, and the Security Standards Council is laying the groundwork for the future of PCI compliance.

A lot of the activity in the marketplace (Read more...)