By Joe Moser, PCI QSA, CISO Global, Inc.
If your organization has complied with the PCI DSS (Payment Card Industry Data Security Standard) for any length of time, the most recent release (PCI 4.0) is probably not news to you. In fact, despite the new version PCI compliance may feel like business as usual for you. ASV scanning, penetration testing, and a comprehensive compilation of documentation are probably well under way – and you may even have scheduled your next audit with a QSA. Easy, right?
Since the Security Standards Council’s announcement that only 13 of the 63 new requirements in PCI 4.0 must be met by March 31, 2024, many compliance leaders are relieved that the balance are considered best practice until March 31, 2025 – feeling confident that the deferred compliance date gives them a little breathing room. However, next year’s compliance audit may turn out very differently than expected for many. Due to the nature of the changes in PCI 4.0, next year’s audits are likely to be much more intensive, and if you aren’t working right now to understand what needs to be adjusted in your security program, you could miss your chance to budget the necessary time and resources needed for what could be significant changes.
Why is a New Version Needed?
In general, this iteration of the PCI DSS is intended to bring the standard up to date with today’s knowledge base and technologies for IT architecture, cybersecurity, and cyber attackers’ TTPs (tactics, techniques, and procedures). For example, v4.0 expands definitions, introduces additional guidance, and provides more examples of system components to which PCI DSS applies, adding cloud and other system components. These are technologies that were less prevalent or nonexistent when previous versions of the PCI DSS were released. So, the framework has been modernized to align with evolving technology and evolving threats. The enhanced guidance is designed to assist organizations with compliance and their qualified security assessors (QSA) with consistent interpretations of the security control requirements.
What Kinds of Changes Should You Expect?
The changes are many, but we can cover a few examples. This modernization impacts wording, formatting, compliance approach (e.g., risk-based controls), and introduces flexibility to address emerging technologies. In the most obvious example that comes to mind, periodic ASV scanning was required even if you were also performing continuous scans and remediation. To align the security control as it was previously written, you would technically have to perform less frequent ASV scans in addition to implementing a full (and more effective) vulnerability management program that actually kept your environment secure. This version adjusts wording to favor continuous scanning and avoids causing duplicate activities. Additionally, v4.0 clarifies that rogue wireless detection (Requirement 11.2.1) must be performed even if wireless is not used in the cardholder data environment (CDE) AND even if your organization has a policy that prohibits its use. The clarification sought to address unauthorized wireless access points as an attack vector that could allow hackers to gain a foothold and move laterally to the CDE. Again, these updated requirements support a more robust approach to information security that will favor those whose security programs are more mature. Less mature programs may have a bit of catching up to do.
On one hand, PCI 4.0’s changes are beneficial to companies who prefer to implement the most effective cybersecurity tactics, rather than simply checking boxes to meet compliance. In past years, those organizations who went above and beyond may have been left frustrated by literal requirements. On the other hand, there is likely to be some discomfort with transitioning to the more robust framework. In fact, some organizational leaders may spend a fair amount of time trying to talk their QSAs into accepting less than effective tactics, making their case to try to avoid making change. However, the release of this version is intended to transition organizations to using technologies, processes, and operational procedures that address emerging threats. In the end, the result of argumentation with one’s QSA is likely to simply increase the cost of your audit by adding hours to the time needed to complete it. A better approach will be to choose to prepare now, instead.
What’s the Risk of Not Starting Now?
If you wait to prepare for next year’s audit until – well – next year, you may find yourself missing your deadline. Why? Many of the changes your organization needs to make could require lengthy remediation steps. When deploying new technologies and processes, make sure they align with the DSS v4.0 now, so your organization does not have to replace them again later.
The truth is, you won’t know exactly what you need to do until you have a gap assessment, because every organization is going to be different. If you ask a peer what they did to prepare, you’re not likely to get a lot of useful input, because your organization may be ahead of theirs in some areas – or behind in others. The challenge this presents for many of you doesn’t go unnoticed. With inflation higher than ever, many are looking for where they can cut budget spending – not increase it. However, in the ongoing threat landscape, the PCI Security Standards Council has come to realize that the risk of loss due to a lack of required programmatic updates for those under compliance is greater than the risk of overspending budgets. In other words, you don’t really have a choice but to comply with the new standard if you accept, handle, store, or transmit cardholder data as part of your business model.
What Should You Be Doing ASAP?
Near term, you can confirm that your PCI program aligns with the security controls required for March 31, 2024. Perform a security controls gap analysis for the controls that must be fully implemented by March 31, 2025. Build a road map to allow the resources (e.g., time, money, staff) to be available for full compliance. A PCI DSS v4.0 certified QSA might be useful for interpreting the new controls and building a strategy to comply. This will help you find out exactly where you are on the readiness scale and what you need to do next. Every organization is unique, so those steps will be specific to your organization.
With a prioritized list in hand, you can get ahead of any budget adjustments needed or speed up planned projects for next year. The emphasis here on using an experienced QSA is for a reason. There are plenty of new QSAs out there who are anxious to get some practice under their belts, and who might be willing to offer discounts on preparation services. However, if they are not extremely seasoned in the impacts of various requirements on your organization, they are not going to understand how changes impact your business mode, security, and compliance obligations.
What if I Want to Reduce My PCI Compliance Burden?
Reducing the scope of your compliance requirements can be an important way to limit the human hours, remediation steps, and investment needed to meet compliance on a yearly basis. Of course, this will depend entirely on your current business model and architectural strategy –the amount of credit cards you handle, how you accept or handle that information, and where/how you store payment card data will determine the scope of your compliance requirements. Some options that have always been available include creating a sort of “DMZ” in your network, using segmentation to limit the access and usage of certain parts of your networks that are used to store and/or process credit cards. However, since the release of v.3.0 in 2010, segmentation as a concept has come to include other systems and forms, all of which can be helpful in reducing your scope.
Another tactic many use to reduce scope is tokenization of cardholder data (CHD). Tokenization makes CHD unreadable and, in some cases, can allow you to avoid ingesting it entirely. This approach has a number of variants ranging from on-premises tokenization machines to proprietary tokens generated by your processor. There are even processor agnostic options for those who wish to use a variety of credit card processors.
Where and how you reduce your scope will depend on your organization’s particular business model, data flows, architecture, and existing processes. However, this is another example of the benefit of getting your gap assessment early and with a highly experienced Qualified Security Assessor. The right partner can assist you with strategic remediation steps that will be the most impactful, as well as providing valuable consultation that can help you reduce your scope and streamline processes for the coming years.
Reach Out If You Need Help
If you would like to explore with an expert what next steps may be for your organization to become compliant with the standards outlined in PCI DSS 4.0, reach out to us anytime. We have a full team of experienced QSAs to help you reach your compliance goals – or go ahead and schedule next year’s audit if you’re ready!