Preparing for Tomorrow: Exploring PCI DSS 4.0’s Role in Quantum-Safe Cryptography Transition
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security standards to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. This standard was created to protect sensitive payment card data, such as credit card numbers, from theft and fraud.
The Payment Card Industry Data Security Standard (PCI DSS) is a collection of security protocols established in 2004 through collaboration between Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Regulated by the Payment Card Industry Security Standards Council (PCI SSC), this compliance framework is designed to safeguard credit and debit card transactions from unauthorized access, data breaches, and fraudulent activities.
What is PCI DSS v4.0?
PCI DSS is the v4.0 is the next evolution of the Payment Card Industry Data Security Standard (PCI DSS). With the new iteration, below are the high-level goals outlined by the PCI Standards Security Council for PCI v4.0
- Continue to meet the security needs of the payment industry
- Promote card-holder security as a continuous process.
- Add flexibility and support of other methodologies to enhance payment security approaches.
- Enhanced validation methods and procedures to streamline the compliance process.
Additionally, the following technical areas are considered for potential adjustments within PCI DSS 4.0:
- Authentication protocols and password recommendations.
- Enhanced system monitoring criteria.
- Guidance on the implementation of multi-factor authentication measures.
Learn more about PCI DSS 4.0 requirements here
PCI DSS 4.0 Implementation Timeline
Here is what you need to get up to speed with PCI DSS 4.0.
31 March 2022
PCI DSS 4.0 Release
31 March 2024
PCI DSS 3.2.1 retired. Best practices requirements 4.0
31 March 2025
PCI DSS 4.0 best practices requirements mandatory
Getting ready for Post Quantum Cryptography (PQC) with PCI DSS 4.0.
The white house published the “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” also known as NSM-10. NSM-10 extensively discusses reducing the risks that quantum computers might bring to encryption. It outlines various steps federal agencies must follow when the National Institute of Standards and Technology (NIST) introduces new post-quantum cryptography (PQC) codes in 2024.
The timeline for formal adoption of NSM-10 for private sectors is not known. However, organizations subject to PCI DSS compliance already have the requirements 12.3.3. In PCI, DSS 4.0 becomes mandatory after March 31, 2025; until then, it is optional and can be considered best practice.
Defined approach by PCI DSS 4.0 for cryptographic cipher suites and protocols requirements (12.3.3)
Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:
- An up-to-date inventory of all cryptographic cipher suites and protocols, including the purpose and where used.
- Active monitoring of industry trends regarding the continued viability of all cryptographic cipher suites and protocols.
- A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
Testing Procedure (12.3.3)
Examine documentation for cryptographic suites and protocols in use, interview personnel to verify the documentation, and review it to ensure that it meets all elements specified in the PCI DSS 4.0 requirement.
Why is planning for Post Quantum Cryptography (PQC) important?
Protocols and encryption strengths may quickly change or be deprecated due to identifying vulnerabilities or design flaws. To support current and future data security needs, entities need to know where cryptography is used and understand how they would be able to respond rapidly to changes impacting the strength of their cryptographic implementations.
Organizations must understand and prepare accordingly for the transition to PQC. This involves assessing their current cryptographic infrastructure, identifying potential vulnerabilities, and planning to adopt new encryption methods. By doing so, organizations can mitigate the risks associated with outdated encryption techniques and ensure the security of sensitive data, particularly cardholder information.
Moreover, aligning cryptographic strategies with PCI DSS 4.0 requirements is essential for maintaining compliance and protecting payment card data. This includes implementing robust encryption protocols, adhering to security best practices, and staying informed about regulatory updates.
NSM-10 mentions that agencies develop a migration plan to transition to Post-Quantum Cryptography (PQC) within one year of the new standards’ release. This plan should include milestones demonstrating the completion of the migration by 2035.
Such a plan will serve as evidence for the final component of requirement 12.3.3: “A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.” While the PQC migration plan addresses vulnerabilities in cryptography susceptible to exploitation by quantum computers, other potential cryptographic vulnerabilities must also be analyzed. Corresponding mitigation plans must be documented to ensure full compliance with requirement 12.3.3. Implementing PQC should be part of the data protection strategy for any organization that leverages cryptography.
Industry Trends
Monitoring the key Events and requirements for Transition to Post-Quantum Cryptography (PQC) and PCI DSS 4.0 Compliance:
| Event Description | Schedule/Requirements |
|---|---|
| NIST releases new standards for PQC | In 2024 |
| Proposal of deprecation of quantum vulnerable ciphers timeline by Secretary of Commerce | 90-days post NIST release |
| Review and adjustment of the above deprecation timeline | Annually |
| Industry monitoring of results of deprecated ciphers | Continuous monitoring required |
| Monitoring of cryptographic cipher viability | Ongoing assessment |
| Documentation of Monitoring Procedures and Results | The documented procedure with conclusions |
| Support for PCI DSS 4.0 Compliance | Required evidence for compliance |
| Action Plan for NIST Deprecations | Adds to PCI compliance evidence |
Conclusion
Implementing PCI DSS 4.0 is crucial for organizations to prepare for the shift to quantum-safe cryptography. As cybersecurity threats evolve, businesses must update their security strategies to address emerging risks effectively. By adhering to PCI DSS 4.0 guidelines and staying informed about industry developments, organizations can proactively safeguard sensitive data, even in the face of advancements in quantum computing.
This proactive approach strengthens security measures and builds trust among stakeholders in an increasingly digital landscape. Maintaining vigilance and readiness will be key to protecting against evolving threats and ensuring the ongoing security of payment card data.
In summary, the PCI DSS 4.0 requirement 12.3.3 asks organizations for:
- A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
- Yearly documentation and review of the cryptography in use.
- An up-to-date inventory of cryptography, including the purpose and where used.
- Active monitoring of the viability of cryptography in use.
Overall, PCI DSS 4.0 considers cryptography management and crypto agility best practices for responding quickly to future developments in cryptographic protocol vulnerabilities.
References:
- What is PCI DSS?
- What is PCI DSS v4.0?
- PCI DSS 4.0 Implementation Timeline
- Getting ready for Post Quantum Cryptography (PQC) with PCI DSS 4.0.
- Defined approach by PCI DSS 4.0 for cryptographic cipher suites and protocols requirements (12.3.3)
- Testing Procedure (12.3.3)
- Why is planning for Post Quantum Cryptography (PQC) important?
- Industry Trends
- Conclusion
- References:
