S2 E17: Where you Should be in the Transition to PCI DSS v4.0

Where you Should be in the Transition to PCI DSS v4.0


Jordan Eisner: Well, thanks everybody for joining. I’m your host, Jordan Eisner, and welcome back to Compliance Pointers.

I’ve got two guests with me today, one of which I’m sure has been on the show before, Brandon Breslin, Associate Director of CompliancePoint and our PCI Practice Lead. Nathan, remind me, have you been on?

Nathan Todd: I have not yet. This will be my first time.

Jordan Eisner: All right. Introducing Nathan Todd. Nathan, excited to have you here. You look excited to be here. Tell us a little bit about yourself.

Nathan Todd: I’m happy to be here. I am in my second year here at CompliancePoint as a security consultant. I’ve got a long history working in IT administration and compliance of various forms, so I am happy to continue to share the knowledge and help all of our clients and anybody else that happens to be listening try and meet their compliance needs.

Jordan Eisner: Well said. Brandon, beyond being the leader of our PCI group, has been doing PCI type work for over 10 years now, or around there at least, and even prior to CompliancePoint, was doing it for another big consulting firm. Is a UGA graduate, I know you want me to throw that out there with that shirt you’re wearing.

Well, we’ll get into it. So today we’re talking about where organizations should be in their transition of PCI DSS 4.0. Now that 3.2.1 is officially retired, I know that makes both of you sad, but it’s gone. We’re on 4.0 now.

So one of you, whoever wants to start, provide a summary, right? Where are we in the transition process?

Brandon Breslin: Yeah, you hit on it, Jordan, that 3.2.1 is retired. So as of the end of March, no longer, unless you’ve gotten, you know, your organization has gotten card brand approval, you cannot do a 3.2.1 assessment anymore with a QSA firm.

All assessments now, since they’re on 4.0, that’s obviously a big change, right? There’s a good amount of requirements. I know for most of our clients, we’ve done bridge assessments to help them, you know, bridge the gap, not to use the same word again, but really tie the knot between those requirements to understand what those changes are.

And as it relates to the transition period, right, we’re in as we do this recording, we’re now in May. So we’re almost midway through 2024. Most of the new requirements, and I know Nathan will touch on some of those, but the new requirements are mostly future-dated to March 31 of 2025.

So while, yes, there are a lot of new controls and it may be, you know, a little overwhelming to move into this new standard, just know that a lot of those new controls, you have a grace period right now.

You really got a, you know, nine-month grace period right now or a little bit more than that to be able to implement some of those operational controls, technical controls, new policies and procedures that need to be implemented and evaluated.

Jordan Eisner: And before we get on to what controls need to be implemented, I would say for this year, their last 3.2.1 assessment to next year or their next assessment that is 4.0. I guess just a little bit of bolt on to the one before. Out of my own curiosity, what percent type of lift or delta change are you seeing, like, and having to go 3.2.1 to 4.0, maybe we’ve seen that. Are you finding that organizations we’re talking and working with now are struggling with that? Or most of them are pretty set to accomplish that if they’re familiar with PCI.

Brandon Breslin: It’s a great question. You know, I would say the interesting thing that we are seeing is most clients come off as a little overwhelmed or they’re worried or they have, you know, angst about the new requirements. But as we get into it, they realize, oh, we actually have a lot of those controls already implemented, you know, anti-phishing controls or additional vulnerability scanning requirements. A lot of these controls that are common to other security frameworks because PCI, quite frankly, the PCI council was a little bit behind the eight ball.

Jordan Eisner: That’s what I was going to say. It’s almost like it’s not necessarily these new daunting controls. It’s a bit of a catch-up.

Brandon Breslin: Right. It is, because, you know, when you look at these security frameworks across the board, and I’m sure Nathan can give more detail, too, but when you look at these frameworks across the board, the core competencies or even, you know, the core concepts of these are very similar. They overlap between NIST, SOC, HIPAA, HITRUST, PCI. They’re very similar cybersecurity general concepts. And PCI was a little bit of behind the eight ball or in a catch up.

Nathan Todd: So talking simply numbers-wise, it is about a 20% change across the board for these new and evolving controls versus the old ones. And like Brandon said, a lot of these were things you were doing already or probably should have been doing already. So it really is just the DSS catching up.

A lot of the ones that are future dated that are not going to come into effect until next year are ones that are a lot more specific just to PCI. And it’s just specifics in the reporting and kind of your. handling of the cardholder data, so to lay out specifically what you’re allowed to do or specifically how it has to be reported on.

Jordan Eisner: OK, yeah, very helpful. So getting back to the controls, what needs to be implemented this time around versus next time around?

Nathan Todd: Well, there are about 12 or 14 controls that are brand new required immediately. Now, these ones are not that big of a lift. Most of them are going to be paperwork or kind of tracking of paperwork. You end up with a dot one, dot two control for each major requirement that spreads out the roles and responsibilities for each of those major requirements into the individual ones.

So basically what the DSS wants is for staff that is meeting the requirements one through 12 to know what their responsibilities are and to acknowledge their responsibilities. So again, staff already knows what they’re doing. Now you really just kind of need the paperwork to prove it.

So updates to policy to show that you have these job roles assigned to people and then an acknowledgement by that staff that could be as part of their annual security training to again acknowledge that they know these are their duties and they’re performing them.

The new ones that are a little bit more of a handful, and there’s just a couple, is kind of the declaration and maintenance of your PCI scope. So this is specifically requirement 12.5.2, and it requires the assessed entity to keep track of what their scope is and have it written down and declared.

You know, in the past they were doing this anyway because you’d come to the assessment and you would tell us what your scope is and then we would validate it. But this puts just a little bit more of the onus on the assessed entity to actually have it written down somewhere so that it’s visible to all staff and everyone that is going to have to play a role in maintaining this scope.

The final one there that we’re not really seeing a lot of yet is the targeted risk analysis. So if you were doing one of the customized approaches that requires targeted risk analysis, you have to maintain the targeted risk analysis. Now, the key here is if you’re doing the customized approach, you have to do the targeted risk analysis. The full targeted risk analysis doesn’t really come into place until 31 March 2025, and that’s for every control that has a periodic requirement to it.

So the stance where the DSS gives you an allowance to decide how frequently you’re going to perform a control, you need to do a targeted risk analysis to justify your timing for that periodic requirement.

Brandon Breslin: Yeah, you hit on a great point, Nathan, about the TRAs, the targeted risk analysis. You know, Jordan, you asked earlier what are some of the, you know, worries or what are some of the challenges maybe that clients are experiencing with 4.0? I think determining the frequency of for those periodic requirements. What makes sense, right? How often should I be implementing some of those controls? Because the council is now granting that flexibility.

And, you know, what we would say to that is look at the control, what type of data is being protected or what type of data you’re trying to, you know, evaluate or, you know, what is the sensitivity of that data that you’re trying to protect, right? And then what is the level of, or what’s the frequency based on the risk for your organization, right? What is based on the risk of that control, based on the risk of the data that’s being protected, and based on your risk appetite or your willingness to take on risk as an organization, that would determine the frequency.

Jordan Eisner: Okay. Good stuff. So what should clients be doing now to prepare for 4.0 assessments?

Brandon Breslin: Yeah, first and foremost, if you have not, you know, if this is the first time you’re hearing of 4.0, you know, work with your current QSA or reach out to your QSA firm that you’ve been doing 3.2.1 assessments for and understand those new requirements. Like I mentioned earlier, for current clients, we do bridge assessments for to help understand the new requirements.

Build a roadmap. Talk with your key stakeholders internally. Come up with a plan. Engage every department that needs to be involved. Determine the timeframe of when you want to implement some of these new controls. You know, you have the grace period right now. Use that to your disposal. Use that to your advantage. Get everybody involved. Map out testing that may need to be done.

If you need to implement some of your, you know, new operational controls or new technical controls, make sure you have a plan to develop those and test those. If you’re working with third parties, make sure you have agreements in place. Make sure you’ve engaged them and evaluated the timeframes that they need to implement controls for you. Or if you’re relying, if you need to rely on a new third party, start having those conversations today so that you can do your due diligence in this grace period.

Jordan Eisner: What else should someone consider, right, for transitioning to 4.0 beyond what you just mentioned there?

Nathan Todd: Well, I think Brandon’s really hit on a lot of them. A lot of this is, it’s going to be communication within, within the company, with their other departments. A lot of the clients we deal with, we mainly interface with compliance staff. And in most cases, compliance staff, they on their own, can’t affect change and force these requirements to be met. It takes buy-in from those above their heads and then interaction with all their other departments.

If you’re making changes to policy, you’ve got to have somebody approve the policy. It may have to go to a board for vote.

Some of these newer controls are technical controls like Brandon has mentioned. So you got, if you have payment pages, there needs to be automated monitoring of scripts on those payment pages. Again, this is something that compliance staff can’t deal with on their own, is going to take buy-in and work with IT or development staff. And it’s just making sure all the pieces fall into place in the correct timeline. I don’t think we’ve seen any, any organization that we’ve dealt with so far that is not able to meet these controls. It’s just the timeline and scheduling to make sure they have the controls in place when they need them to be in place.

Brandon Breslin: And you hit on the executive management piece, which is a great point, Nathan, that you cannot, in your organization, yes, there’s different sizes and complexities, but 99 times out of a hundred, unless you are getting buy-in from executive management, senior management, board of directors, whoever the governing body of your organization is, you can’t proceed with implementing that control or modifying that policy or procedure. Sure, there’s exceptions and nuances to that rule, but most of the time we see that, you know, as an organization, you have to get buy-in from some type of executive personnel. And that’s so critical to be able to move the organization forward in some, in a topic that we’ve discussed on multiple episodes of this podcast before, of having security first and compliance as a by-product of that.

So if you, if you’re looking at these new controls, looking at these new requirements from a security focus first, from a cyber focus, that will allow you to not only just hit the minimum baseline to be compliant with the control, you’re hitting what needs to be done from a security perspective to protect that data that you’re trying to protect. And it allows you to also be compliant with the control as a natural by-product of that, because a lot of these requirements in PCI are not intense or difficult. It’s just getting the organization to follow suit with what needs to be done from a security standpoint.

Nathan Todd: Yeah. I think you’ve got really great points there all along the board. I think a lot of the new changes here, the biggest things that organizations are going to want to deal with, is communications, dealing with the security and knowing the assets and the environments they’re trying to protect and communicating those controls and those assets to all responsible parties.

One of the bigger things with scope is to again, make sure that everybody who’s involved in the process knows what assets we’re trying to protect, what processes we’re trying to protect, and then to communicate those to their customers as well. One of the newer controls here is to have a more defined approach to communicate compliance with your customers so that whether you have shared responsibilities, it’s very clear who has responsibility for which controls. And I think that just goes to security in general across the board and viewing it as a shared responsibility of everyone to try and make everything that we have that we have to deal with as secure as possible.

Jordan Eisner: Well said. So, most of our listeners, or our regular listeners, probably know that we’re a qualified security assessor and we do PCI audits. It’s part of why we’re talking about it. But besides doing a 4.0 audit, you know, a lot of the challenges we’re talking about within an organization, the buy-in and policy changes, and sometimes that can be brought to the forefront with some sort of mock assessment, right, or some sort of engagement that brings us to the forefront. Has a third party say that so that helps make a little bit more compelling internally. What are we doing at compliance point beyond just audits to help organizations around 4.0?

Brandon Breslin: Yeah, I think, you know, it’s a great question. I would say the core principle that, you know, we take on is being a hand-in-hand partner, right? We’re not just a, to your point, an audit firm or a consulting firm. We’re truly a partner that’s walking with you to establish a roadmap and a plan for continuous orchestration for being able to not only be compliant with these requirements at one time, but on a year-over-year basis, and also to build out a plan to get your environment to be in a more robust and security, a more mature security posture.

It’s to be able to align with the methodology that we talked about earlier, putting security first. Yeah, there’s requirements that you have to fulfill, but it’s not really about being compliant with the requirements. It’s about protecting your customer’s data, protecting your client’s data, your third party’s data, whoever you’re working with, your assets, and ensuring that you’re putting a security focus on those.

Nathan Todd: I think you’ve really hit the point there that we try to communicate to all of our customers is that we’re here to be your business partner. We’re here to help you meet your both compliance and security goals, because I think a lot of us, our goal is to try and make all of our customers and the digital environment we all live in as secure as possible. We do a lot of bridge assessments and these gap assessments for new customers, and at least in my opinion, those are great learning opportunities, great educational portions, because we get the chance to come in and sit down with clients and talk about their environment and teach them what these new controls are and see if they’re already meeting them and talk to them about how they might change processes or what tools they might use to meet compliance in these things.

It’s really enjoyable to me because we get to talk about this stuff and share the knowledge that we have with somebody who’s interested in it.

Jordan Eisner: Outside the traditional audit vein. So collaborate with them. We have a consultant a lot of times like to say, hey, we’re not the Bobs from Office Space. If our listeners know that movie and that situation with them and the cagey feel of those interviews.

Okay, well I think that’s a wrap. Brandon, Nathan, thank you for your time today. Thank you to our listeners. Just a reminder, this is the sort of content we produce on a regular basis. If this is your first time listening, please subscribe. If you’re a regular listener, leave us a review, request maybe an episode or a topic or something you’d like to hear. And as always, if you’re interested in learning more about CompliancePoint or our services, there are many channels you can reach out. You can reach out to myself, Brandon or Nathan on LinkedIn. We’re all on there.

You can come to our website and schedule a meeting. You can email in plenty of channels to reach out. So we’d be more than happy to take any information that way. Until next time, thanks everyone.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.