We’ve heard the rumblings for years now, and the time has finally come – it’s time to begin your organization’s transition from PCI DSS 3.2.1 to PCI DSS 4.0. After numerous discussions with clients and colleagues alike, I’ve heard a spectrum of concerns for what this transition to a new standard will encompass. How different will the experience be? Will I need to dedicate more resources to my audits? How much preparation should I be making to get ready for this?
PCI DSS 4.0 ResourcesA list of the New Requirements of PCI-DSS 4.0
|
These questions generally arose because the person I was talking to still hadn’t fully researched the new standards. My key insight: the big unknowns – how costly and how difficult - does not need to be a major source of anxiety for those tasked with PCI compliance.
I know that you’ll agree that the PCI DSS 4.0 isn’t exactly a New York Times bestseller. With the utmost perseverance and diligence, I’ve read the standard in its entirety, absorbed supplemental information provided by the PCI Security Standards Council, and participated in the PCI North America Community meeting in Toronto this September.
I can confidently give you my personal take on the transition, and it might be slightly controversial to some:
It’s really not going to be that bad. If you’ve navigated 3.2.1 thus far, transitioning to 4.0 should not be a difficult move.
In many ways, the new standard remains materially consistent with the previous standard – the same 12 broad requirements are in play, the assessment process remains largely the same, and you’ll still issue an Attestation of Compliance (AOC) for your Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). No new SAQs were introduced or previously existing SAQs removed.
Many of the changes are on the reporting side or help clarify ambiguities present in the previous standard. These changes are more relevant to your QSA than to you as the company subject to PCI.
Make no mistake, there are new requirements in PCI DSS 4.0 – a total of 64 of them. Of those, only 13 need to be met upfront for any PCI DSS 4.0 assessment, and of those 13, 10 deal directly with formally defining roles and responsibilities for requirements (something relatively easy in the grand scheme of PCI). The remaining 3 are also not a particularly difficult lift. The remaining 51 new requirements become effective March 31, 2025, leaving you with time to determine your approach and implement controls and processes where necessary.
Don’t get me wrong, there’s still a good degree of effort required to bring your organization up to par with PCI DSS 4.0. There are nuanced wording changes that you’ll want to be familiar with and ensure the control you had in place to meet 3.2.1 will suffice for 4.0. There will be controls you’ll need to implement. My point is the effort is incremental to what you’ve already done to maintain compliance with 3.2.1, and the expectation isn’t that all this is done by this year. Not even by next year. It’s a manageable workload, and you have time.
That being said, you’ll want to start now by gaining an understanding of the changes involved with 4.0. I strongly recommend bringing in a QSA as early as possible to appropriately interpret the changes and get the appropriate level of expertise on what you need to do to be compliant.
I’ve listed key details below that should hopefully assuage some of the anxiety you may be feeling relative to PCI DSS 4.0.
Issued along with the new standard was an implementation guideline that outlines key dates, summarized below:
There are three broad classes of changes implemented in PCI DSS 4.0:
One notable clarification is the specific timeframes used in the assessment. In 3.2.1, timeframes such as ‘quarterly,’ were left undefined, leaving it up to interpretation on the actual frequency that something was required.
Timeframes for sub-requirements are now explicitly defined, vastly narrowing the window of time you’ll have to perform required processes. For example, what was defined simply as ‘quarterly’ in 3.2.1 is now specifically defined as “at least once every 90 to 92 days or the nth day of each third month.” These changes can impact your compliance status if left unheeded, so it's important to be aware of their impact.
There were two changes to the Assessment Findings (e.g. in Place, Not in Place, Not Applicable, etc.) that can be selected in the assessment of each individual sub-requirement:
Per the 4.0 standard, the “In Place with Remediation” requirement is met when:
“The requirement was Not in Place at some point during the PCI DSS assessment period of the entity, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment. In all cases of In Place with Remediation, the assessor must have assurance that the entity has identified and addressed the reason that the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.”
This to me is a clerical change and only impacts drafting of the ROC or SAQ. As it’s considered a ‘compliant’ finding, it may also give you and your QSA more flexibility in some of the black and white areas previously existing within 3.2.1.
New to PCI DSS 4.0 is the bifurcation of approaches to compliance – the “Defined Approach” and the “Customized approach.” The Defined Approach is the same approach utilized in 3.2.1. Newly implemented is the “Customized approach,” which has been added to add flexibility into the assessment process when technology advancements outpace updates to the standard. Per PCI DSS, the Customized Approach is:
“Intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”
The customized approach is intended for entities with more mature risk structures in place, and can only be utilized in ROCs completed by a QSA. The Security Standards Council made it clear in this year’s North America Community Meeting - this approach is for organizations with mature risk management processes in place, and will be a more complex examination than using the traditional defined approach.
I absolutely recommend inquiring with your QSA if you’re considering this approach.
As mentioned in my introduction, there are 64 new sub-requirements in 4.0 that were added to address the modern threat landscape. If your organization is subject to PCI DSS, you’ll want to implement these required processes over the next several years to ensure you’ll remain compliant. The vast majority of these will be best practices until March 31, 2025.
My insights aren’t intended to lull anyone into a false sense of security - PCI DSS is hard work, there’s no doubt about it. PCI DSS is something to be taken very seriously. Your company’s specific circumstances may be very complicated, in which case these changes may require complex solutions.
I did want to quell some of the hysteria I’m seeing from PCI consultants and hearing from companies about the changes. My take: if you look at them as a manageable group of incremental changes, they are not as scary as you may believe.
There’s still plenty of runway until these changes in 4.0 become full compliance requirements. Starting the transition process now will be critical for a smooth transition over the next several years.
Contact me for a discussion of your situation, new requirements, and approaches for meeting deadlines required by PCI 4.0. You can reach me via email at Justin.Bonk@freedmaxick.com or call me at 716.332.2680.