While PCI 4.0 isn’t expected to be released until Q4 2021, many of our Clients are looking ahead and asking questions about the potential impact the new Standard will have on their compliance programs. Some of he top questions we are getting are:
- How hard is this going to be, and
- How much is this going to cost?
To go along with the “PCI Road Trip” metaphor we’ve been using internally to describe the new Standard, Online has been working hard behind the scenes to develop new 4.0-based services that will help you get your compliance program tuned up for the journey ahead.
Gap Assessment – Avoiding Bumps in the Road
The new Standard has some easy and obvious incremental tweaks that will be fairly straightforward to address, and some more significant changes that will stretch a lot of organization’s abilities.
Team Online has spent plenty of time reviewing the Draft Standard to sort out these “small bumps” from the “giant pothole” requirements. At this stage, our analysis has identified over 60 new or changed DSS requirements that are going to involve some (or a lot of) action on the part of many organizations. In response, we’ve put together our 4.0 Gap Assessment toolbox, which is shaping up to be the quickest way to identify which changes are going to impact your organization the most.
Mapping the changes to your unique environment is a good start, but then what? For those of you that have worked with our QSA team before, you already know that our PCI “Expert Collective” is not apt to find an issue and walk away – we’re all about teaming up with our Clients to solve business problems by integrating security and compliance into real-world programs. After we perform the review of your environment against the changes, we will provide actionable recommendations to help you determine how to best address any noted gaps with the new Standard; the end result will help you prioritize the scope, reach, impact, and effort required to address both the minor and significant changes.
For those that need extra guidance, we’ll work with you to develop risk- and budget-appropriate strategies and tactics for implementation based on your specific security goals and business requirements. Our process will give you answers to the questions that concern your business the most, so that you can make informed decisions to future-proof your compliance program.
PCI Health Check – Regularly Scheduled Maintenance
The SSC has put a particular emphasis in the last few years on taking a ‘Business as Usual’ (BAU) approach to PCI compliance, and our expectation is that 4.0 will follow this pattern. If the Council is true to form, the BAU requirements will receive more attention, and we expect the Standard may have a number of updates to ensure that organizations keep their hands on the wheel. There have always been time-based requirements (think quarterly scans, annual policy reviews, etc.), but it’s a strong possibility that multiple requirements may have ‘BAU’ language baked into the testing procedures - this could mean that organizations will be required to provide evidence that time-based requirements are formalized, monitored, and effectively addressed on a continuous basis. For organizations that have a lot of ad hoc processes, limited staff tasked with ‘maintenance mode’ activities, or no access to time travel technologies, additional BAU requirements could present some real challenges.
We start by helping you identify which time-based and BAU requirements apply to your environment, and then work with you to assess your technical and process-based monitoring/alerting/response capabilities; the end result is a clear roadmap for effective security and program maintenance. Our goal is always to help our clients find the right solutions for continuous security improvement and maturity; building out BAU-based programs is perfectly aligned with our philosophy and core capabilities.
Our team will continue to share updates with you around the upcoming changes. If you are interested in talking about how you can start getting ready now, feel free to reach out to discuss how we can help you prepare for the upcoming journey, or simply introduce you to our team.
Another great place to start is to download our PCI 4.0 Road Trip Infographic that I shared in a previous post. This infographic maps out timelines and offers some suggestions on how you can start getting ready.
If you'd like to reach out to a member of our PCI team today, we look forward to hearing from you!