The Impact of New PCI DSS v4.0 Requirements for Healthcare
Published On July 19, 2021
Blog Post by Bruce Edwards, Senior Manager at Meditology Services
The PCI Security Standards Council has announced detailed timelines for the release of the much-anticipated PCI DSS version 4.0. Due to the scale and extent of the changes, the council is now targeting Q2 2022 for formal publication of the new framework. This blog post provides additional details about the timing of version 4.0 and its implications for healthcare entities.
Note: we published a prior blog post that articulates the specific changes proposed in version 4.0 in our related article: Provocative PCI-DSS v4.0 | New Requirements and Timing Updates.
The formal high-level timeline includes a formal release of the new version by Q2 2022, however, QSA organizations like Meditology Services will get an advanced copy of the standard to begin developing assessment and certification work products.
There will be a transition period which allows organizations to adjust to the new requirements that will span an 18-month time period. Some of the new requirements will also be designated as “future-dated requirements”. This means that these requirements will not need to be in place for validation but should be considered as best practices until such time as the council designates them as required provisions. The exact number of “future-dated requirements” is yet to be determined and will be announced closer to the release of v4.0.
An overview of the transition period timing is provided by the council as follows:
Impacts to Healthcare
Healthcare entities process credit card payments in a wide variety of settings that are often overlooked in information security and compliance program models. The new version 4.0 requirements will need to be reflected by policies, procedures, and technical implementation for healthcare entities and their third -party payment card processing providers.
The version 4.0 control requirements will drive forward implementation of multi-factor authentication (MFA) for healthcare organizations. There are still some healthcare organizations that have not fully rolled out MFA across the enterprise including PCI systems and processes. MFA has wide-ranging protective benefits including helping to protect against ransomware attacks.
A proposed requirement around password controls may also require healthcare entities to revisit their technical configurations and security tools for passwords. Specifically, the requirement to compare new passwords against a list of known, bad passwords.
There are also proposed provisions around authenticated vulnerability scans, self-signed certificates, and more areas that will have impacts to specific control implementations for healthcare organizations.
Other common challenges in healthcare for PCI compliance may also be exacerbated by a shift in control requirements including:
- Updated documentation of payment card processes and credit card environments
- Lack of network segmentation and needing to apply PCI controls across the entire environment
- Tracking and monitoring of access to payment card systems and data
- Security event monitoring across disparate environments
- Limited security capabilities of legacy systems and applications to meet the new standards
- Needing to update PCI contractual language for third party service providers
- Obtaining management support to perform remediation for new controls
- Lack of skillset or personnel that understand PCI DSS v4.0 and new requirements
Meditology is an accredited PCI DSS Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) company that exclusively serves the healthcare industry. Contact us to learn more or to discuss your specific circumstances and plans for PCI-DSS adoption and compliance.