Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
If you’ve navigated PCI DSS 3.2.1, transitioning to 4.0 might be less effort than you thought
We’ve heard the rumblings for years now, and the time has finally come – it’s time to begin your organization’s transition from PCI DSS 3.2.1 to PCI DSS 4.0. After numerous discussions with clients and colleagues alike, I’ve heard a spectrum of concerns for what this transition to a new standard will encompass. How different will the experience be? Will I need to dedicate more resources to my audits? How much preparation should I be making to get ready for this?
PCI DSS 4.0 Resources
These questions generally arose because the person I was talking to still hadn’t fully researched the new standards. My key insight: the big unknowns – how costly and how difficult - does not need to be a major source of anxiety for those tasked with PCI compliance.
I know that you’ll agree that the PCI DSS 4.0 isn’t exactly a New York Times bestseller. With the utmost perseverance and diligence, I’ve read the standard in its entirety, absorbed supplemental information provided by the PCI Security Standards Council, and participated in the PCI North America Community meeting in Toronto this September.
I can confidently give you my personal take on the transition, and it might be slightly controversial to some:
It’s really not going to be that bad. If you’ve navigated 3.2.1 thus far, transitioning to 4.0 should not be a difficult move.
PCI DSS 3.2.1 vs 4.0: The Same Broad 12 PCIS DSS Requirements Remain in Effect, but…
In many ways, the new standard remains materially consistent with the previous standard – the same 12 broad requirements are in play, the assessment process remains largely the same, and you’ll still issue an Attestation of Compliance (AOC) for your Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). No new SAQs were introduced or previously existing SAQs removed.
Many of the changes are on the reporting side or help clarify ambiguities present in the previous standard. These changes are more relevant to your QSA than to you as the company subject to PCI.
How Many PCI DSS Requirements Are There?
Make no mistake, there are new requirements in PCI DSS 4.0 – a total of 64 of them. Of those, only 13 need to be met upfront for any PCI DSS 4.0 assessment, and of those 13, 10 deal directly with formally defining roles and responsibilities for requirements (something relatively easy in the grand scheme of PCI). The remaining 3 are also not a particularly difficult lift. The remaining 51 new requirements become effective March 31, 2025, leaving you with time to determine your approach and implement controls and processes where necessary.
Don’t get me wrong, there’s still a good degree of effort required to bring your organization up to par with PCI DSS 4.0. There are nuanced wording changes that you’ll want to be familiar with and ensure the control you had in place to meet 3.2.1 will suffice for 4.0. There will be controls you’ll need to implement. My point is the effort is incremental to what you’ve already done to maintain compliance with 3.2.1, and the expectation isn’t that all this is done by this year. Not even by next year. It’s a manageable workload, and you have time.
That being said, you’ll want to start now by gaining an understanding of the changes involved with 4.0. I strongly recommend bringing in a QSA as early as possible to appropriately interpret the changes and get the appropriate level of expertise on what you need to do to be compliant.
I’ve listed key details below that should hopefully assuage some of the anxiety you may be feeling relative to PCI DSS 4.0.
Important PCI DSS 4.0 Dates: Be Prepared to Deal with a Reasonable Implementation Timeframe
Issued along with the new standard was an implementation guideline that outlines key dates, summarized below:
- Entities can continue to issue their assessments under the 3.2.1 standard until March 31, 2024, at which point the 3.2.1 standard will be retired. If your ROC or SAQ is filed in the later 3 quarters of each year, you’ll want to use 2023 as the formal transition year.
- Entities can elect to issue their assessment under the 4.0 standard immediately. If using a QSA, the QSA must have passed the PCI SSC’s formal 4.0 training in order to sign off on the assessment.
- Almost all of the future dated sub-requirements in 4.0 are considered ‘best practices' for any assessment issued until March 31, 2025, after which these sub-requirements become mandatory, and failure to adhere to them can result in a non-compliant assessment.
PCI DSS 4.0 Summary of Changes: Three Broad Classes
There are three broad classes of changes implemented in PCI DSS 4.0:
- Evolving Requirements – “Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.”
Technology has evolved rapidly since PCI DSS 3.0 was introduced in 2014. The new standard includes updates to testing procedures to better assess sub-requirements, and modification of changes to be more reflective of current operating environments. This includes new sub-requirements referred to above.
- Clarification or Process – “Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.”
Feedback from stakeholders throughout the assessment process was incorporated into the new 4.0 standard. Frequently asked questions from the previous standard have been included to assist stakeholders in the interpretation, implementation, and testing of the standard. To me, these clarifications are a positive, as they reduce the ambiguity in some of the 3.2.1 requirements.
- Structure or Format – “Reorganization of content, including combining, separating, and renumbering of requirements to align content.”
Content of certain sub-requirements was restructured to better align content in areas where it was more practical to do so. These changes are mostly impactful on the completion and writing of the Report and don’t introduce new obligations for entities undergoing a PCI DSS assessment. Again, I interpret these changes to be a net positive to the process, ultimately reducing duplicative work and streamlining reporting.
At Last, Clarification on PCI DSS 4.0 Timelines
One notable clarification is the specific timeframes used in the assessment. In 3.2.1, timeframes such as ‘quarterly,’ were left undefined, leaving it up to interpretation on the actual frequency that something was required.
Timeframes for sub-requirements are now explicitly defined, vastly narrowing the window of time you’ll have to perform required processes. For example, what was defined simply as ‘quarterly’ in 3.2.1 is now specifically defined as “at least once every 90 to 92 days or the nth day of each third month.” These changes can impact your compliance status if left unheeded, so it's important to be aware of their impact.
An Important Clerical Change Relative to PCI 4.0 Assessment Finding Requirements
There were two changes to the Assessment Findings (e.g. in Place, Not in Place, Not Applicable, etc.) that can be selected in the assessment of each individual sub-requirement:
- Previously, ‘In Place with a Compensating Control Worksheet’ was an available finding. You’ll still have to complete a compensating control worksheet (CCW) for any sub-requirements where one was necessary, but doing so would be marked as ‘In Place’ in the assessment itself.
- “In Place with Remediation” has been added as a finding. This is considered a compliant finding, and is selected to identify sub-requirements that required remediation to achieve compliance during the assessment.
Per the 4.0 standard, the “In Place with Remediation” requirement is met when:
“The requirement was Not in Place at some point during the PCI DSS assessment period of the entity, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment. In all cases of In Place with Remediation, the assessor must have assurance that the entity has identified and addressed the reason that the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.”
This to me is a clerical change and only impacts drafting of the ROC or SAQ. As it’s considered a ‘compliant’ finding, it may also give you and your QSA more flexibility in some of the black and white areas previously existing within 3.2.1.
New Flexibility for the PCI DSS 4.0 Assessment Process: Defined or Customized Approach?
New to PCI DSS 4.0 is the bifurcation of approaches to compliance – the “Defined Approach” and the “Customized approach.” The Defined Approach is the same approach utilized in 3.2.1. Newly implemented is the “Customized approach,” which has been added to add flexibility into the assessment process when technology advancements outpace updates to the standard. Per PCI DSS, the Customized Approach is:
“Intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”
The customized approach is intended for entities with more mature risk structures in place, and can only be utilized in ROCs completed by a QSA. The Security Standards Council made it clear in this year’s North America Community Meeting - this approach is for organizations with mature risk management processes in place, and will be a more complex examination than using the traditional defined approach.
I absolutely recommend inquiring with your QSA if you’re considering this approach.
My Recommendation for PCI DSS 4.0 Changes: Start Working on the 64 New Sub-requirements Now
As mentioned in my introduction, there are 64 new sub-requirements in 4.0 that were added to address the modern threat landscape. If your organization is subject to PCI DSS, you’ll want to implement these required processes over the next several years to ensure you’ll remain compliant. The vast majority of these will be best practices until March 31, 2025.
PCI DSS 4.0 Compliance is Hard Work, but Not Anxiety Laden as You Might Think
My insights aren’t intended to lull anyone into a false sense of security - PCI DSS is hard work, there’s no doubt about it. PCI DSS is something to be taken very seriously. Your company’s specific circumstances may be very complicated, in which case these changes may require complex solutions.
I did want to quell some of the hysteria I’m seeing from PCI consultants and hearing from companies about the changes. My take: if you look at them as a manageable group of incremental changes, they are not as scary as you may believe.
There’s still plenty of runway until these changes in 4.0 become full compliance requirements. Starting the transition process now will be critical for a smooth transition over the next several years.
Contact me for a discussion of your situation, new requirements, and approaches for meeting deadlines required by PCI 4.0. You can reach me via email at Justin.Bonk@freedmaxick.com or call me at 716.332.2680.