Request A Consultation

Earning a 4.0: The Shift in PCI Compliance Requirements Is Underway

By Jenna Waters, Senior Security Consultant, CISO Global, Inc.

PCI 4.0 — the PCI Standards Security Council’s first update since 2018 to the PCI Data Security Standards (PCI DSS) — is a major iteration that shifts away from the traditional point-in-time assessment. Do you remember how an auditor would annually determine the PCI compliance status of a merchant’s or service provider’s system on a specific day in a specific month and assume — somehow — that the snapshot characterized their status all year?

That ends with 4.0

Now the Council wants:

  • compliance to be an ongoing continuum, rather than a judgement day
  • to swap out prescriptive PCI compliance requirements for flexible ones
  • to ask custodians of cardholder data — in exchange for this latitude — to constantly evaluate the controls used to secure their cardholder-data environment
  • custodians to live daily what’s long been one of our credos at CISO Global: “security equals compliance

A more risk-focused, better balanced, less dogmatic approach informs 4.0. Where audits used to demand near-verbatim compliance with a control — i.e., “run antivirus and scan every device in the PCI cardholder data environment periodically,” where “antimalware” isn’t a substitute for “antivirus” — that’s now changed.

Now antimalware works, too

And it works without 4.0 actually outlining any specific goal — that’s now up to one’s organization to decide. With 4.0, any combination of tools, processes, and talent that results in a secure system will suffice.

But with great latitude comes great responsibility. So, I expect to see a raft of novel approaches followed by a host of client questions for qualified security assessors (QSAs) like me, at least at first — broad questions about the tool/process/talent combinations the clients themselves are inventing.

And that’s a good thing. Those questions will showcase the clients’ commitments to achieving 4.0 goals.

As a QSA who’s first and foremost an IT and cybersecurity professional

… I’ll answer those questions with concrete solutions.

A client may ask, for example, “What’s your take on my system now that I’ve implemented this new payment process? Will I meet the goal of 4.0?”

And with 4.0’s premium focus on risk in mind, I’ll recommend:

  • an external vulnerability scan from a Council-approved scanning vendor
  • a governance, risk, and compliance (GRC) package featuring risk and scoping assessments
  • the consultancy of one of my risk-assessment colleagues at CISO Global

That last part about the colleague stems from the existence of two types of assessments:

  • a self-assessment using an SAQ (self-assessment questionnaire), through which, as a QSA, I can consult on a client’s security controls and architecture
  • a full-blown PCI audit assessment, through which I CAN’T influence the development of a client’s security controls and architecture (which is an expectation of the separation-of-duties controls that avoid conflicts of interest), and can only set expectations and say whether the system’s NOT going to meet compliance

But I’ll be helpful either way, because my recommendation:

  • relieves the client of employing an expensive, full-time, in-house QSA whose internal-IT expertise — which likely wouldn’t include PCI DSS’s 300-plus security controls — might lead to an under- or overscoping of the PCI-compliance-required cardholder data environment
  • ensures the client’s not spending too much on compliance, nor spending too little and risking non-compliance
  • engages a QSA with a relevant IT and cybersecurity background (e.g., me)

And that last bullet has never mattered more than in this post-4.0 era

… when the very thought of PCI DSS’s 300-plus sub-requirements for security controls throws companies into a panic.

Still, it doesn’t have to do that to yours.

Not when you flip the script and engage an IT and cybersecurity professional with a strong QSA-auditing background, rather than a QSA auditor with a financial background who may have little to no IT and cybersecurity chops.

When that happens, the four major tenets of 4.0 —

  1. Meet the payment industry’s security needs.
  2. Make security a continuous process.
  3. Achieve security objectives by increasing flexibility.
  4. Boost validation methods and procedures.

— will create for your company a real opportunity instead of an unreal burden, make way for a proactive investment instead of a reactive expense, and set the stage for a turnkey solution today instead of a frantic mitigation tomorrow.

Interested in learning more about the steps you need to take to validate your company’s PCI 4.0 compliance? We need to talk. Contact CISO Global, Inc. today.