PCI DSS 4.0

Take a Pit Stop – 5 Point Inspection Questions to Consider NOW before the 4.0 Last Lap

Written by Sherri Collis & Steve Levinson | Jun 21, 2023 5:02:38 PM

2023 is flying by. Before you can say March 2024, v3.2.1 of the PCI DSS will be retired. Do you know what your organization needs to do to cross the v4.0 finish line, and how much time it will take? Now’s the time to budget and plan to ensure a transition with no surprises.

It’s June 2023. There are less than 300 days before v3.2.1 of the PCI DSS will be retired.
Do you know what your organization needs to do to cross the v4.0 finish line, and how much time it will take? Now would be a good time to take a pit stop to discuss the following with your Crew: 

 

  1. Do you have a plan? Have you started preparing for v4.0?
  2. Is your pit crew prepared? Does your crew know the gaps in your organization between v3.2.1 and v4.0? 
  3. Do you have a roadmap? Do you have a project plan that tracks the changes needed to be compliant with v4.0?
  4. Is there enough gas in the car? Is your budget in place for any changes?
  5. Are all systems a go to cross the finish line? Is your timeline meeting or exceeding the date of your first v4.0 assessment, and does it align with you being ready when all 63 requirements must be in place after March 31, 2025?

 

The good news is that the more difficult changes don’t go into effect until March 31, 2025. And the REST of the story is below…

 

Each organization has different roadblocks.

The way v4.0 will affect your organization will be different one organization to the next. As an example, if you have a Web Application Firewall (WAF) in front of your web-facing applications, the new v4.0 WAF requirement won’t be difficult. This same question can be asked about having a SIEM. For those who have it, great. However, for those who don’t have this technology in place, how long does it take your organization to do the following: 

  • Select a product.
  • Train your people.
  • Implement it in your environment.
  • Fine tune it.
  • Create/revise your policies, processes, procedures, and incident response plan for this new technology.

 

Another major change in v4.0 is the requirement to perform authenticated scans on internal devices; unauthenticated scans are no longer acceptable for meeting internal scanning requirements. If your organization has been running authenticated scans, you won’t feel the gravity of this new requirement. But for organizations who are not currently running authenticated scans, we recommend that you review Online’s Vulnerability Scanning eBook in our v4.0 Resource Center – especially page 10!

>> Click here to access our Vulnerability Scanning eBook written by our Risk, Security, and Privacy's Information Security Evangelist, Jeff Man.

 

Caution: We’ve only called out a few of the v4.0 changes in this blog. Do you know what I haven't called out that may impact your organization more severely? 

 

Countdown to v4.0

 

Again, I ask, what can YOUR organization do in the time remaining?

"Remember, the sooner you fall behind, the more time you have to catch up!"
– Steve Levinson, VP Risk, Security, and Privacy