With the launch of PCI DSS 4.0 just around the corner, we wanted to share an update on what has been happening, what we know, and some insights into what we are doing to get ready.
What has been happening
The PCI Security Standards Council has released two drafts of the Standard to PCI Participating Organizations with the goal of soliciting industry and practitioner feedback; they received literally thousands of responses and are currently incorporating them into what will become the final 4.0 Standard.
For more information about the proposed release schedule and background on the changes check out our Blog: Update on PCI DSS v4.0.
Our QSA team has had the opportunity to "peek under the tree"; we’ve shaken the boxes and looked under the wrapping paper to figure out what our presents are and we have a very good idea of what we can expect in the new Standard (which is scheduled to release in the spring of 2021).
What we know so far
Based on our team’s review, we expect that there will be some significant changes introduced with the 4.0 Standard, along with some iterative improvements. We can’t (and won’t) spoil the surprise, but can reiterate what the Council has publicly shared and verify that the new Standard is intentionally designed to be more flexible, outcome-based, and more focused on a risk-based approach to securing cardholder systems and data. I have included a couple of links to some of the Council’s statements at the bottom of the post; they provide some valuable insights around what you should expect.
Another way to describe it might be to compare the 4.0 version of the DSS to the process of buying a new car – the overall layout is similar and will feel familiar, but there are going to be some new features and controls that aren’t quite where you remembered them: get used to turning on the wipers when you meant to hit your turn signal for a little while. From what we’ve seen so far, it’s a solid upgrade to the previous model, but the reporting format and testing procedures are going to take some getting used to when it becomes our daily driver – buckle up!
The changes range from minor tweaks and clarifications to significant overhauls in reporting (e.g. say goodbye to compensating controls and hello to the outcome-based “Customized Approach”). As expected, there are also some “Future Dated Requirements” proposed that will mean significant changes; the Council has wisely provided ample time to implement these new requirements.
What we are doing while we wait
Our PCI QSA “Expert Collective” has been busy behind the scenes reviewing, analyzing, and parsing the proposed controls in excruciating detail. We are updating our toolbox and methodologies to get us ready to help out as soon as the Standard officially drops. Our experience with previous versions of the Card Brand operating rules and the evolution of the Standard gives us unique insight into the probable scope, scale, and level of effort that the changes will require. And we want to be ready so we can help you navigate these changes on Day 1 - whether you simply need help clarifying a few questions or would like to work with us on completing PCI 4.0 Readiness Assessment.
We will be providing regular updates before the Standard releases, and will have resources available for you to use right away (e.g., webinars, blogs, OnlineTV episodes). To stay in touch with what is happening, you can subscribe to our Risk, Security and Privacy blogs here where we will be publishing our updates.
And as promised, here is some great reading and official communiques from the SSC to get you ready:
In the meantime, if you have any questions don't hesitate to reach out; I'd love to hear from you.