Sherri Collis, our Director of PCI Services, is an over twenty year PCI veteran, where she began her PCI career obtaining PCI compliance for a data center hosting / managed services company to the Visa CISP in 2002/2003. She has spent over fifteen years performing global consulting. Sherri has written and presented on a variety of topics including PCI compliance (versions 1.1, 2.0, 3.0, and 4.0), ITIL, IT governance, and Sarbanes-Oxley security and compliance. Due to her passion for bringing females into the cybersecurity field, she jointly presents “You Can Get There from Here,” a presentation discussing steppingstones for transitioning skills into the cyberworld. In 2021, Sherri was nominated by her peers and selected/recognized by the PCI Council in their “Paving the Way: Inspiring Women in Payments” series.
Due to the nature of the evolving PCI DSS 4.0 timeline, this post has been revised from the original article by author Tony Fulda.
The PCI DSS 4.0 draft was recently released in a draft state to key stakeholders for review. These stakeholders include QSA companies, approved scanning vendors, and participating organizations. The PCI Council expects to officially release PCI DSS 4.0 along with its associated validation documents in March 2022, and then the real journey begins!
As one of the lucky stakeholders to receive a first look at the draft, we're eager to start helping but we are still under an NDA so the guidance we can give is limited right now. Our Clients are looking ahead and asking questions about the potential impact the new Standard will have on their compliance programs. Some of the top questions we are getting are:
- How hard is this going to be?
- How much change will this cause in our environment?
- Will the assessment take longer?
- How much more is this going to cost?
- When are we required to be assessed against v4.0?
The answers to these questions come down to an easy answer - it depends! Each Client has a unique environment that needs to be assessed to determine the areas where most help will be needed. As such, assessments will likely take longer and therefore the cost of an assessment will increase.
When considering timing, the first step of the process is training. No QSA can perform a PCI 4.0 assessment until they have gone through the training, and at this point, training is set to occur in Q2 of 2022. This means your organization cannot assess against the standard until this training is completed.
The PCI DSS v3.2.1 Standard is set to retire in Q1 2024 which means your organization isn't required to move to v4.0 until then, giving you a long runway. Given the timeline above, you can be assessed against v4.0 anytime between Q2 2022 and Q1 2024.
To go along with the “PCI Road Trip” metaphor we’ve been using internally to describe the new Standard, Online has been working diligently behind the scenes to develop new 4.0-based services that will help you get your compliance program tuned up for the journey ahead.
Gap Assessment – Avoiding Bumps in the Road
The new Standard has some easy and obvious incremental tweaks that will be fairly straightforward to address, and some more significant changes that will stretch a lot of organization’s abilities.
Team Online has spent a lot of time reviewing the Draft Standard to sort out these “small bumps” from the “giant pothole” requirements. At this stage, our analysis has identified over 60 new or changed DSS requirements that are going to involve some (or a lot of) action on the part of many organizations. In response, we’ve put together our 4.0 Gap Assessment toolbox, which is shaping up to be the quickest way to identify which changes are going to impact your organization the most.
Mapping the changes to your unique environment is a good start, but then what? For those of you that have worked with our QSA team before, you already know that our PCI “Expert Collective” is not apt to find an issue and walk away – we’re all about teaming up with our Clients to solve business problems by integrating security and compliance into real-world programs. After we perform the review of your environment against the changes, we will provide actionable recommendations to help you determine how to best address any noted gaps with the new Standard; the end result will help you prioritize the scope, reach, impact, and effort required to address both the minor and significant changes.
For those that need guidance, we’ll work with you to develop risk- and budget-appropriate strategies and tactics for implementation based on your specific security goals and business requirements. Our process will give you answers to the questions that concern your business the most so that you can make informed decisions to future-proof your compliance program.
PCI Health Check – Regularly Scheduled Maintenance
The SSC has put a particular emphasis in the last few years on taking a ‘Business as Usual’ (BAU) approach to PCI compliance, and our expectation is that 4.0 will follow this pattern. If the Council is true to form, the BAU requirements will receive more attention, and we expect the Standard may have a number of updates to ensure that organizations keep their hands on the wheel. There have always been time-based requirements (think quarterly scans, annual policy reviews, etc.), but it’s a strong possibility that multiple requirements may have ‘BAU’ language baked into the testing procedures - this could mean that organizations will be required to provide evidence that time-based requirements are formalized, monitored, and effectively addressed on a continuous basis. For organizations that have a lot of ad hoc processes, limited staff tasked with ‘maintenance mode’ activities, or no access to time travel technologies, additional BAU requirements could present some real challenges.
Online can help you identify which time-based and BAU requirements apply to your environment, and then work with you to assess your technical and process-based monitoring/alerting/response capabilities; the end result is a clear roadmap for effective security and program maintenance. Our goal is always to help our clients find the right solutions for continuous security improvement and maturity; building out BAU-based programs is perfectly aligned with our philosophy and core capabilities.
Where is the next pitstop?
There are several great places to start your journey:
- Download our PCI 4.0 Road Trip Infographic which maps out timelines and offers some suggestions on how you can start getting ready.
Register for an upcoming event that Online is hosting for our clients within 1 week of the Council publishing the Standard in March 2022. In this session, you can expect the following:
- The session will begin with several of our senior Online team members who have been pouring over the v4.0 Standard and providing feedback to the PCI Council since September 2020 walking through some of the more major changes in the Standard.
- After the major changes are discussed, there will be a one-hour period reserved for our guests to ask our panel of experts, questions about the changes.
- Sign up for a v4.0 Gap Assessment of your environment. Online will begin offering these gap assessments in April 2022 assuming the Standard will be released in March 2022. This will be an excellent way to determine key activities to focus on, priorities, and enable your compliance team to hit the ground running.
It’s one thing to change a tire, and yet another to change out a timing belt or fuel pump! Once the Standard has been officially released, Online will publish information on some of the services we will offer to assist our Clients with some of the heavier lifts in this journey to v4.0 compliance.
We look forward to talking with you in March and assisting you on this journey.