S1 E3: Transitioning to PCI DSS v4.0


Jordan Eisner: Welcome to Compliance Pointers. I’m today’s host, Jordan Eisner, and the VP of Sales for Compliance Point, a mid-size consulting firm specializing in helping organizations scale and reduce risk by maturing data security and privacy operations.

If you haven’t already subscribed, make sure you do that today.

I’m joined by Brandon Breslin, a senior manager from our assurance group and the leader of our PCI practice. In addition to Brandon, I’m joined by John Barbier, a senior security consultant here at Compliance Point. Both Brandon and John are qualified security assessors, QSAs by the PCI Council.

Today, we’re going to be talking about a very timely and common topic of late, what your organization needs to do as it prepares for the new PCI DSS 4.0 standard. But before we dive into the Q&A, let’s get to know the guests a little more. Brandon, let’s start the intros with you. Tell us a little about your background, and I think more importantly, for the listeners, your expertise in PCI.

Brandon Breslin: Yeah, absolutely. Thanks, Jordan, and thanks for having John and I on here. I’ve been in the PCI space or really the cybersecurity and compliance space for a little over a decade now. Been in a few different organizations of different sizes. I’ve worked in numerous different industries with clients or customers of different sizes and complexities, everything from healthcare, financial services, retail, entertainment, hospitality, government. Then from there, different, of course, assessment types. Everything from consulting, which is non-attest services to attestation services, what you would normally see in the PCI space, compliance validations, report on compliance, SAQs or co-attesting SAQs, and pretty much everything in between. Outside of the PCI space, a few different other areas within security and compliance, but I know today’s focus is PCI.

Jordan Eisner: Thank you for that, Brandon. John, how about you?

John Barbier: My background is in hospitality and travel technology. Being involved in information security for some time. Became more and more involved in PCI in 2015. I became a QSA and I’ve been doing PCI assessments since then. Like Brandon, across all industries.

I’ve been involved in the development of PCI 4.0 in that I saw the first and second rounds of the standard. Those that were published by the council provided feedback on, like many others in the industry. Then quite familiar with PCI 4.0 and all the requirements that are going to need to be met.

Jordan Eisner: Well, good deal. Maybe we can test some of that knowledge here today on this podcast.

Well, it’s great having both of you on. Let’s dive in. The first thing, where everybody wants to start, tell us about the timeline. Where we are in the transition period, what are the deadlines for meeting 4.0 requirements? We’re getting close, I think on some of this, but maybe not to feed the answer too much. Tell us about that, Brandon.

Brandon Breslin: Yeah, absolutely. We are mid-transition right now within 3.21 to 4.0. Maybe for those that are not aware, the council has already released the standard. They had a few RFC or request-for-comment phases where they were going through asking for feedback from different QSA companies just like us at CompliancePoint. We are now at the point where the standards have already been released. Many QSA companies, including ourselves, are doing 4.0 assessments. As it relates to consulting and compliance validations, we are already recommending all of our customers to move to 4.0.

As it relates to the specific transition timeline, we are, as we record this podcast, we’re in quarter 4 of 2023. We’re getting close to the process of 3.2.1 being retired. The timing of 3.21 being retired is at the end of Q1 of 2024, so this upcoming Q1, that’s March 31, so the end of that month. After that, the council has already gone out and said, no more PCI compliance validation assessments, which would be with an AOC, a ROC in an AOC or an SAQ in an AOC, can no longer be performed on 3.21 after that date.

For those hearing that, of course, if you are not already thinking about 4.0, you need to be thinking about 4.0 right now. I will say for the specific new requirements that we’ll get into in a little bit, those mostly are future-dated. We’re in a grace period right now until 3-31, 2025.

Most of the new requirements, technical, operational controls that have to be implemented in your organization, you really have over a year, almost a year and a half right now to implement those. But I will say, like I mentioned earlier, we’re recommending all of our customers to move to 4.0 so that you can start to learn the new requirements so that you can start to implement some of these changes or at least gather key stakeholders to start to implement some of these changes before the grace period ends so that you’re not running into a potential non-compliance situation when that time comes, because it will come very quickly.

Jordan Eisner: If I’m reading right what you were just saying, you could do a 4.0 assessment and your report on compliance could be for 4.0, but you could have some of those technical controls not yet in place. Is that accurate?

Brandon Breslin: Absolutely. That’s accurate. Right now, the council is already accepting 4.0 assessments. AOCs that are submitted to card brands, they’re fully accepted right now. As it relates to the 4.0 controls, like you just mentioned, you don’t actually have to have them implemented right now. For us as a QSA company, we would still offer that opportunity to say, hey, have you guys implemented anything? If not, that’s okay. We will mark that as a best practice so that there’s no hitting to the compliance status. You’re not taking the hit on that or there’s no risk at this point, do that compliance status.

I will say there are two requirements that have to be implemented right out of the gate for 4.0. In your assessment at the time of the date on the rock is the as of compliance date, you have to have roles and responsibilities identified for each of the areas, and then you also have to have your scope documented. We’ll get into that in a little bit.

Jordan Eisner: Okay. That could help, I think, alleviate some of the hesitation to just go ahead and go forth with 4.0. You can be grandfathered into some of those controls even though they’re not a steadfast requirement until maybe a year from March of next year.

John, we’ll go to you. One thing we’ve done coming up to this point and well beforehand is bridge assessments for 4.0, gap assessments for 4.0, maybe bridge isn’t even something that is too meaningful anymore with the timeline on it. Maybe it is and maybe we’re talking about the same thing, a bridge or gap. But talk about some strategies for effectively conducting those and what each of them means.

John Barbier: I think as Brandon said, one of the key changes is that you have to understand and document your scope, and that’s going to be a requirement right out of the gate. So you’re going to have to hand the documentation to your assessor at the beginning of the assessment. So that’s going to need to be addressed with some priority. But you need to understand the changes in the requirements.

So I think as part of your analysis, you need to highlight the key changes between version 3.2.1 and version 4.0, and emphasize the new requirements. I think this awareness is vital in formulating a plan to effectively transition to version 4.0. Once you understand what the new requirements are, you need to evaluate your current security controls against the new requirements. You need to map those out because the mapping provides a roadmap for the adjustments that you’re going to have to make in your controls.

Policies and procedures, very often, those are thought about towards the end of the process in any technology project. But the policies and the documentation have always been an important part of PCI DSS. So the existing policies and procedures need to be updated to realign with the updated PCI requirements, and you need to identify gaps in the documentation at the same time as you designing your new controls and your strategy for meeting the requirements. Your personnel need to be aware of the changes you need to. Educate your employees on the new requirements, and emphasize their roles in maintaining compliance. So that is one of the changes that is required at the gate. So an informed team is essential for meeting PCI 4.0.

Jordan Eisner: I’m sure that list goes on for some of the other things, and maybe that’s the essence of the importance of the bridge or the gap assessment, right? To your point, one of the things you talked about in your answer, John, was the changes from 3.2.1 to 4.0, or the Delta of transitioning that.

So to me, that’s more a bridge, right? Maybe we’re getting carried away here in semantics on a gap assessment versus a bridge assessment. But for organizations that maybe have already been 3.2.1, it’s important to understand the differences, the bridge, educate the organization on policy. Big changes are going to have to take effect between the two. For companies coming at this for the first time, PCI, maybe moving up to level one, that’s where we would recommend maybe a bigger gap assessment.

John Barbier: Yeah, I think that makes sense. I think we haven’t even spoken about addressing the technology stack. So there may be some technology changes that need to be made. But for any organization, they’re going to have to understand what the changes are and the applicability to their environment before you determine what the changes are. They’re going to need to be made to the technology stack as well.

Brandon Breslin: If I can jump in as well, Jordan, just to hit on the point that you just mentioned, just to add onto what John has said, as it relates to you hit on something that I want to touch on, which is those that have done a 3.2.1 assessment versus those that have never done PCI before and they’re having to jump right into 4.0.

I will say at CompliancePoint, since we offer that methodology, if we have a current customer already, we can leverage some of that evidence and do an inquiry-only bridge to cover some of those new requirements. Whereas if we have a customer that we want to bring on for the first time, we would want to still do some of that evidence-gathering base to understand where those compliance gaps are. It may be a smaller subset of sampling that we would do for a full compliance validation assessment, but it gives us a good holistic picture of before we do the full assessment, where are you right now as it relates to compliance? What are the key areas that we need to hone in on to tailor that assessment for you?

Jordan Eisner: Well, Brandon, keeping with you and you had alluded to this earlier, we talked about organizational awareness. Let’s dive a little deeper in that. The importance of engaging all the stakeholders early on, and assigning roles and responsibilities for the engagement.

Brandon Breslin: Yeah, absolutely. That’s critical. Really step 1A is engaging key stakeholders. That would be internally and externally as well. A lot of people forget about the external piece. But first, sticking with internal, having senior management or executive buy-in, communicating early and often, and then really rolling into that new requirement of identifying roles and responsibilities for each of those compliance or security areas within the PCI requirements. Everything from network management, system hardening and build management, data flows, web encryption, anti-malware handling, patching, change management, user access, all of those key areas.

Now, there are requirements to John’s point earlier that have to be implemented right out of the gate in your first 4.0 assessment, that need to be assigned and not only assigned, but formally communicated and trained on. That those individuals understand, hey, this is their responsibility and they have to follow through with that on a yearly basis because compliance is not a one-time thing. It’s a continuous process. Having those roles and responsibilities allow accountability, but they also allow flexibility and they also allow more people involved in the assessment process. It’s pretty clear the council is moving towards that security as a continuous process, more involvement, organization-wide.

As it relates to third parties or even customers or other service writers that you work with, making sure that you understand your reporting requirements and what you need to do before you go down the path of PCI compliance.

Then of course, the big piece as well as engaging with the QSA. You want to make sure that you’re engaging with the QSA early and often, and then having those conversations. We’ll get into this in a little bit, but having a QSA as an expert in the process to help you along is a hand-in-hand partner there.

Jordan Eisner: Yeah. I was going to ask about developing an effective transition plan for an organization without a QSA. But it sounds like we’ve actually talked about a lot of it. Maybe there’s more you would add. Bridge assessments, gap assessments, engaging the stakeholders, roles and responsibilities, the technical controls that we are going to dive in after this, and what needs to change there.

What else? What are we missing, if anything, from an effective transition plan from a high level?

John Barbier: I think we hit on the points. One key that I think I would emphasize is to, this is for PCI in general as well as the transition to 4.0, is to form a cross-functional team. So involve IT, security, and compliance. Depending on your organization, you may be involving legal as well. So collaboration facilitates a holistic approach. To get the leadership support to ensure that you have the resources and the priority to be able to implement what needs to be changed prior to your next assessment.

Brandon Breslin: Yeah, that’s a great one, John. I really like that, having the cross-functional teams. That ensures your business is aligned across organizationally, not just in the security and compliance space, but it aligns those goals to your internal objectives as well.

I would also say another one is timing. So earlier in the podcast, we talked about the transition period where we are right now, as it relates to the transition to 4.0 for every organization before it gets retired. Having that transition time or plan aligns with the timeline. Not waiting until the last minute and then you’re scrambling trying to figure out, oh wait, what do we need to do to move to 4.0? Really getting involved early, communicating early and setting up a plan and approach early so that you have that flexibility if things go awry or things don’t go the way you expected them to go.

Jordan Eisner: So we’ve talked about 4.0 and the technical controls and how we’re going to dive into those. So these are going to span across security and compliance areas. How can organizations identify these new technical operational controls and effectively implement them?

Brandon Bresling: At this point, if we’re talking through the stages of the transition plan and you’re now getting to a point where you want to identify those controls and implement them, you’ve already identified key stakeholders, you’ve engaged with a QSA, you’ve mapped out a transition plan and aligned it with your goals and objectives and timelines.

Now, the next piece is to understand the new requirements. But before you can understand the new requirements, you have to understand your own scope. So if you are a new organization or not a new organization, but if it’s your first time going through PCI for the first time, or if it’s something that you’re not familiar with, again, get with your QSA, figure out what your scope is.

Ultimately, it’s your responsibility as the organization or the entity being assessed to own that scope, and the QSA can validate that scope, but the QSA can assist in that process and provide guidance. So once you have your scope documented, which is going to be everything that stores, processes, or transmits cardholder data, plus anything that’s connected to that cardholder data environment or provide security services to that is going to be in scope for your assessment. Once you understand your scope, then you can go down and understand the new requirements. The PCI Security Standards Council has published a number of resources out there, the full PCI DSS, which is not a quick read, of course. So they have a summary of changes, document that’s about 36, 37 pages, so a little bit easier to manage. Then they have, of course, all the templates that are out there as well.

But really, I want to hone in on the biggest piece is working with your QSA, understanding the new requirements and understanding what is more relevant to your scope specifically because there are so many new requirements out there and it can be a little overwhelming for an organization especially, that’s never gone down this path before. So really getting to a point where you understand which requirements are relevant specifically to your organization and where you want to get to, that’ll help you be able to have a tailored assessment to what’s relevant to you.

Jordan Eisner: When you say not gone down this path before, you’re talking about 4.0.

Brandon Breslin: Absolutely.

Jordan Eisner: So even if you’ve done 3.2.1 or whatever PCI in the past, right?

Brandon Breslin: Yeah. I will say, where the nuances can come into play is if it’s your first time doing a PCI assessment focusing on what is the scope is going to be a bigger overhaul than somebody that’s already gone through 3.2.1, because if you’ve already gone through 3.2.1, you already know what your scope is, unless you have some significant changes or major architectural changes, personnel turnover, things like that, that could affect the scope or process changes, and you would want to understand that. But if it’s your first time going through 4.0, many organizations from what I’ve seen and I’m sure John has seen as well, is they want to dive right into it and say, what are the requirements?

Well, hold on. Before we get to the requirements, let’s make sure we have the scope documented because there are some requirements that may be not applicable to your environment.

Jordan Eisner: We talked about some flexibility earlier, some of the controls not being a set-fast requirement until maybe a year out from March of next year, so 2025, so grace period.

What else? What other options has the council provided? John, for instance, what other things can organizations expect to be given a little leeway on?

John Barbier: PCI 4.0 introduced the concept of the customized approach. We have a defined approach in each requirement and a customized approach, and the defined approach is pretty similar to what you’re used to in the past. The customized approach allows the organization to implement custom security controls, where you’re meeting the objective of the PCI requirements. Each requirement has an objective and you design your security controls to meet those objectives.

It gives the organization flexibility, but it also requires more effort and expertise to implement and maintain. It’s best suited for organizations that have a mature security posture as well as a strong understanding of PCI DSS. The organization should be able to use new and innovative security technologies to meet their security objectives.

The organization should be able to demonstrate that its security controls are effective in protecting cardholder data. It requires documentation and testing the controls, and it needs to include manual and automated tests to make sure that the controls are operating as intended. But the benefits of the customized approach is it provides flexibility and the ability to use new and innovative security technologies. It could also reduce the cost of controls by eliminating the need for controls that you maintain purely to meet compliance and that is not really effective in meeting a security control, something that you maintaining just for compliance.

But there are also some challenges to it. You need expertise in PCI DSS, you need to engage a QSA throughout the process, right at the beginning of the design and designing the testing procedures, and it also introduces risk of non-compliance if the controls are not properly designed, implemented, and maintained.

There’s also some flexibility that is introduced with PCI 4.0 in that you are required to conduct a targeted risk analysis in determining how often you perform certain periodic requirements. So, how often you perform these functions is going to be determined by the risk assessment that you conduct to determine what the risk is to your particular organization and how you’re addressing that risk.

Jordan Eisner: Okay. Thank you, John. Well, we’ve mentioned QSA, the importance of having a QSA, please consult a QSA, talk to QSA, all these things, right, several times. So, sort of putting a bow on 4.0 and organizations and what they can do themselves and the importance of working with their third party, not just for the attestation, Brandon, but for consulting, for advisory support, right, for I think limiting potential risk, of course, but also gaps in compliance or mistakes or errors or things that they might miss that can make the process take more time and potentially more money. What role does the QSA need to play? When should you engage a QSA?

Brandon Breslin: So, like I mentioned earlier, QSAs, they’re an expert in the space, right? I mean, similar to any other aspect in life, you would want to hire an expert in that area to get recommendations and to get guidance. The PCI space is no different.

So, QSAs, for those who don’t know, are qualified security assessors. Those are certified individuals and companies, such as CompliancePoint is one of them, to be able to perform compliance validation assessments for other organizations. I will say there are independence requirements for QSAs. So, as a QSA, we have to stay independent of any process improvement or changes of controls, things like that, but we can provide guidance and recommendations, and we can also provide an attestation or an evaluation of the environment to determine its compliance status or not.

I will say at CompliancePoint, something that kind of separates us from others, is that we have a separate team that can do some of those implementations or remediation, right, or to be able to, you know, follow the independence requirements but not breach those, which allows us that flexibility to have a one-stop shop for compliance.

As it relates to the QSA involvement, should be engaging early with the QSA, not just from communication, but also walking through, if you’re going to have a significant change, right, or if you want to understand which controls you have to implement to be able to be compliant with 4.0, those types of conversations are critical with the QSA.

As a QSA, we also interpret the requirements. So other QSA companies may interpret requirements in different ways, but we have a pretty strong methodology for how we interpret requirements. We have pretty diverse backgrounds and experiences of QSAs on our team. So we’re always up to date on all the latest guidance from the Council. So having a resource that’s dedicated to being an expert in the compliance field, security field, specifically as it relates to PCI is invaluable.

Jordan Eisner: All right. Well, I think that about does it. Brandon, John, thank you for your time today. Thank you to our listeners. As mentioned, make sure you subscribe and don’t miss future episodes. And for those of you already subscribed, please be sure to leave a review, maybe comments on some topics that you’re interested in hearing about.

And if you’re interested in learning more about CompliancePoint, Brandon made some great points there on our PCI services. Check us out online at CompliancePoint.com. Inquire with us at connect@CompliancePoint.com. You can reach out to Brandon, John or me directly on LinkedIn.

Thanks and see you next time.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.