PCI 4.0: Your Next Audit May Take Longer, But it’s for a Good Cause
By: Brian Dean, Senior Security Consultant, QSA
Change is in the Air
2024 is almost here, and that means PCI DSS 4.0 will soon go into effect. The newest version will have some mandatory controls on March 31, 2024, for those who store, process, or transmit card payment data. While its predecessor weighed in at 190 pages, PCI DSS 4.0 is 486 pages and includes 63 new security controls.
Fundamentally, PCI DSS 3.2.1 was a prescriptive set of controls that provided definitive, detailed instructions for compliance. PCI DSS 4.0 provides a similar construct, which is now called the defined approach, but introduces flexibility to allow organizations to have the ability to tailor security controls that better align with their environment, technology, and culture. This customized approach emphasizes security outcomes, allowing technologies and approaches best suited for their environment and business model.
Flexibility introduces complexity, suggesting teams tasked with PCI compliance include enough runway to interpret the new controls, determine if the defined or custom approached suits their organization, and if the plan is used to customize control. Each task must be completed before validating compliance.
Reconfirm Your Leadership’s Commitment
PCI DSS has been around for nearly two decades. Management teams might be complacent, assuming that 2024 will be just another PCI DSS compliance cycle. However, with the number of changes, the introduction of new controls, the detailed guidance to align control interpretations, and the introduction of a customized approach with targeted risk assessments will require additional resources, including time, money, and/or staffing.
When preparing for PCI DSS 4.0, organizations will need to review the controls, determine the impact to the business, and then level set the executive team. If new controls require capital investment, determining those needs during the PCI Assessment is not likely a recipe for success. Deciding if you need additional tools to comply likely requires procuring, installing, testing, fine tuning, documenting, training, and operationalizing.
It’s NOT More of the Same
The SCC has provided a 36-page document detailing the upcoming changes. It includes clarifications such as rewording to make the control easier to interpret, updating the structure, such as moving and grouping controls more logically, and evolving requirements to maintain the pace with adversaries, emerging threats, and new technologies.
The evolving requirements need a plan to validate compliance impact. If teams do not perform a gap against their program and the changes with the logic of using the same compliance cycle, they might find they do not have the resources readily available to achieve compliance.
Brace Yourself for Longer Compliance Assessments
On a practical level, deploying new controls will take longer, documenting the controls and testing will take longer, and the annual PCI DSS Assessment may be more complex. For example, it’s no longer a matter of a QSA simply asking, “are you changing your passwords at least every 90-days?” and checking the box. Your team may decide that 90 days doesn’t align with the culture, business model, and technologies in place. This is perfect for the customized approach.
Perform a targeted risk assessment (TRA) to decide the password complexity and change cycle that is right for your organization and still provides proper security. The QSA now needs to review the logic of the TRA, the approach for deployment, the effectiveness of the control, and then validate compliance. This may also lend itself to more discussions between QSA and the organization being assessed, especially if the findings are not what was expected or worse, do not align with the control objective’s desired outcome. In those cases, more interviews, discussions, and documentation may be needed, or changes may need to be made – again adding to the length of an assessment.
Measure Three Times, Cut Once with PCI DSS 4.0
My recommendation is to perform a gap assessment for the security controls required by March 31, 2024, and the controls that are “best practice” but required by March 31, 2025, as well as any planned systemic changes to your environment (e.g., migrating to the cloud, introducing segmentation, tokenization, adding a mobile payment channel). Having a single roadmap for compliance not for PCI DSS 4.0 for 2024, but for the next two to three years! Otherwise, risk introducing new technologies to meet PCI DSS 4.0 2024 controls and replacing or reconfiguring those same controls to align with 2025 control requirements, or business model changes.
Get Started ASAP
Bottom line? Don’t wait. You do not know what you do not know. Gap assess against the full PCI DSS 4.0 control set now. Build a three-year roadmap, but revisit annually as technologies, exploits, and risk models change. Engage a QSA company if you need help. Getting a solid roadmap before you begin compliance program updates and new technologies will streamline the process saving time, money, and staff frustration. Remember, compliance frameworks like ISO, CSF, and PCI DSS aspire for repeatable results, so documentation is imperative.
Introducing a new SIEM to automate periodic log reviews (periodic defined by your TRA as required by REQ 10.4.2.1 and the automation required by REQ 10.4.1.1) is not just buying and installing software. You will need to determine the functional requirements for the solution to purchase to make sure the outcome aligns with the new PCI DSS 4.0. Then sit through various vendor demonstrations to find a solution that meets your needs and integrates with your environment. Again, to purchase, install, fine tune, test, train the team, document the process, and operationalize the process requires resources. If you are doing this for several control objectives at once, you are vying for the same resources. With the first phase of PCI DSS 4.0 mandatory in a few months, if you haven’t already started the process, depending on the size, complexity of your organization and the maturity of your existing security controls you might have already missed the opportunity to meet your initial compliance window.
Beyond DSS 4.0
My crystal ball is a little cloudy, but with machine learning, artificial intelligence, quantum computers, sophistication of the adversary, adversary funding, and the availability of exploit kits, I expect the PCI DSS will need to evolve to maintain pace with our adversaries. The payment card industry is especially vulnerable because card data can be easily monetized.
Learn More or Get Help
If you want to learn more about what to expect from PCI DSS 4.0, check out our recent live panel discussion. If there is any doubt or you are concerned about the looming timeline, consider using a knowledgeable QSA that is certified for DSS 4.0. QSAs, like those at CISO Global, can jump start your PCI DSS 4.0 journey. Reach out to us anytime. Our team of highly experienced QSAs is ready to help!