The Payment Card Industry (“PCI”) Security Standards Council (“SSC”) recently published a supplement to the PCI Data Security Standard (“DSS”) that will require certain Designated Entities to comply with an additional set of compliance-based requirements. The additional requirements, called the “Designated Entities Supplemental Validation,” or DESV, are designed to “help organizations make payment security part of everyday business practice” and are “intended to provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation of business-as-usual (BAU) processes, and increased validation and scoping consideration.” According to a FAQ published on the PCI SSC’s website, the DESV was created to combat the perception by some merchants that compliance with the DSS is a “periodic exercise.”
The DESV requires that so-called Designated Entities demonstrate compliance with requirements in five control areas. The control areas are: (1) Implement a PCI DSS compliance program; (2) Document and validate PCI DSS scope; (3) Validate PCI DSS is incorporated into BAU activities; (4) Control and manage logical access to the cardholder data environment; and (5) Identify and respond to suspicious events. According to PCI SSC Chief Technology Officer Troy Leach, the DESV procedures “are not new requirements, but criteria that can help any organization in assessing and documenting how it’s maintaining existing PCI DSS controls on an ongoing basis.”
Designated Entities are “determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements,” according to the FAQ. In practice, Designated Entities will include “entities that may be at greater risk for compromise” including those that store, process, and/or transmit large amounts of card data, provide aggregation points for cardholder data, or “that have suffered significant or repeated breaches of cardholder data.” The latter category is particularly notable, as it appears that compliance with the DESV could be required by an Acquirer or Payment Brand as a remedial measure following a security incident.
While the PCI DSS generally concerns cybersecurity, the DESV addresses risk management, governance, controls, and process maturity. For instance, requirement DE.1.1 requires executive management to “establish responsibility for the protection of cardholder and a PCI DSS compliance program…” It also requires that regular updates be provided to executive management and the board of directors on PCI DSS compliance initiatives and issues at least annually, among other requirements. Requirement DE.1.2 requires that a compliance program be in place and include:
- Definition of activities for maintaining and monitoring overall PCI DSS compliance, including BAU activities;
- Annual PCI DSS assessment processes;
- Processes for the continuous validation of PCI DSS requirements; and
- A process for performing business impact analysis to determine potential PCI DSS impacts for strategic business decisions
Requirement DE.1.4 requires that up-to-date PCI DSS and/or information security training be provided to employees/contractors with compliance responsibilities (as designated per requirement DE.1.3) at least annually.
These types of governance and control activities appear to be designed to provide assurance that PCI DSS compliance is a continual focus of Designated Entities. The FAQ also states that the DESV “can be used to complement any entity’s PCI DSS compliance efforts, and all entities are encouraged to follow the DESV as a best practice, even if not required to validate.”
The requirements of the DESV will almost certainly require a larger line item in organizations’ IT budgets, which may make compliance more difficult, especially for smaller entities. This is not only because of the additional compliance activities required by the DESV, but also because its activities go beyond the DSS. For example, while DSS Requirement 11.3.4 requires penetration testing at least annually and after changes to segmentation controls to verify that segmentation methods are operational and effective, the DESV requires such penetration testing at least every six months and after changes to segmentation controls/methods.
The roll out of the DESV appears to be an extension of the “best practices for implementing PCI DSS into [BAU] processes” included in DSS version 3.1. Although that section of DSS version 3.1 is acknowledged as “guidance only” at this time, the DESV will be mandatory for Designated Entities. It is therefore possible that the “scope creep” of the PCI DSS will continue, and the DESV may eventually become applicable to an even larger group of entities.