This article was written by Ryan Bigelow, Director at FoxPointe Solutions.
The Payment Card Industry Security Standards Council (PCI SSC) has released version 4 of the Data Security Standard (DSS). This is the first major update to the standard since PCI DSS v3.0 was issued in November 2013. With this major release came the addition of numerous new requirements that are currently considered best practices until March 31, 2025. Unfortunately, some organizations may put these new requirements out of sight and out of mind until they must absolutely be assessed. This article will focus on navigating the challenges that PCI DSS v4.0 brings and the benefits of partnering with a QSA Company, such as FoxPointe Solutions.
The New Requirements
There are sixty-four (64) new and evolving requirements introduced as part of PCI DSS v4.0. Additionally, there were many changes to the framework structure, format, numbering, and wording that are not considered new and evolving but do represent changes. Of the new 64 requirements, many will be applicable even for organizations that previously had a reduced scope. For example, the SAQ A under 4.0 now requires external vulnerability scanning, and Requirements 6.4.3 and 11.6.1 necessitate additional security measures on e-commerce payment pages. Many of these new requirements are challenging to understand, even for experienced GRC Professionals and Technical Subject Matter Experts (SMEs). Our PCI QSAs have been fully trained in PCI DSS 4.0 and have been performing gap assessments for numerous clients since the release. What we’ve observed so far is a significant learning curve in getting everyone on the same page with what the new requirements are asking and what types of evidence need to be provided. Working with a QSA directly helps alleviate some of the new language barriers, ensuring both sides are in alignment.
Challenge: Understanding and interpreting the 64 new requirements is difficult.
Benefit: Working with a QSA, such as FoxPointe Solutions, is beneficial because our assessors are immersed in the PCI DSS every day and work closely with client teams to be a liaison between the framework and subject matter experts.
The Struggles So Far
As expected, organizations are struggling with certain requirements more than others. Adding phishing as a topic to the Security Awareness Training might be easier (for some) than providing an inventory of all cryptographic protocols, ciphers, and suites. FoxPointe Solutions fields a lot of questions about how specific requirements will impact our customers. One such example, Requirement 8.4.2, now requires Multi-Factor Authentication for all user access to the CDE, sparking many conversations with clients. We work with them to provide guidance and recommendations regarding applicability, whether it is currently in place, or whether an additional layer of Multi-Factor Authentication needs to be implemented. Another prime example is Requirement 11.6.1, which demands monitoring and alerting for changes to payment page content and HTTP headers. New requirements such as these may require additional time, resources, or tooling to implement.
Challenge: Organizations of all sizes and shapes must be ready for the new PCI DSS v4.0 requirements, and some of the requirements are more challenging and require more effort.
Benefit: Working with a QSA, such as FoxPointe Solutions, can help your organization to simplify compliance, identify potential gaps, and prioritize the harder-to-implement controls.
Avoiding Last-Minute Surprises
QSA Companies must start using the new PCI DSS v4.0 reporting template for assessments starting after March 31, 2024. The new, future-dated requirements are considered a best practice until March 31, 2025. For those that push the future-dated requirements off, there is an added risk of having an unwelcome surprise during the first full-blown 4.0 assessment. Finding out that the report is non-compliant because the organization didn’t adequately prepare could have significant consequences such as bank fines, loss of customers, loss of jobs, and/or damage to the reputation of the organization.
Challenge: Organizations who do not perform a gap assessment or otherwise prepare for 4.0 are more likely to have non-compliant findings or surprises during the assessment.
Benefit: Working with a QSA, such as FoxPointe Solutions, can help identify compliance gaps early so that unexpected surprises during the assessment are much less likely.
Changes Take Time
The time it takes for organizations to complete project implementations will vary based on the size and complexity of the business. However, it is common for project implementations to take a considerable amount of time. Change management and development lifecycles typically require approvals, multiple iterations, peer reviews, Quality Assurance, technical testing, user acceptance testing, bug fixes, maintenance, etc. It would also be wise to account for the possibility that things might not go perfectly according to plan, and there may be additional troubleshooting, break/fix, and backup and restore activities involved with new implementations. Additionally, some organizations may have blackout periods during their busy period (e.g., Holidays, Tax Season, Summer) where no changes are allowed to be made.
Challenge: Making changes to production environments and/or rolling out new technologies often takes a considerable amount of time.
Benefit: Working early with a QSA, such as FoxPointe Solutions, may provide development and technical operations teams the additional time needed to complete any new project implementations.
Budget Planning
There are situations in which additional technologies or solutions may be required to meet new PCI Requirements. For example, organizations may need to invest in external vulnerability scanning, multi-factor authentication, web application firewall, client-side protection, training, and so on. There are costs associated with procuring and implementing such solutions, and with budgets under heavy scrutiny, it is important to identify the types of technologies and solutions that will need to be implemented sooner than later so that the organization can properly set aside an appropriate budget for them.
Challenge: Organizations may not know what technologies or solutions will be needed to meet PCI compliance and cannot accurately prepare their security budget.
Benefit: Working with a QSA, such as FoxPointe Solutions, can help identify areas where an additional technology or solution would help, while providing multiple vendor-agnostic recommendations or identifying sensible alternative solutions.
Being Prepared
There are a lot of new types of evidence and artifacts that will need to be produced during the course of a PCI DSS v4.0 assessment. When your organization receives the request list and it asks for the Inventory of Trusted Keys and Certificates, Inventory of Bespoke or Custom Software, Inventory of Payment Page Scripts, Targeted Risk Analysis, Scope Reviews, etc., it may be overwhelming for the unprepared. Being adequately prepared to provide the evidence upon request will help avoid any last-minute scrambling to produce an artifact and hope it is accepted.
Challenge: There are several new types of inventories, artifacts, and other types of evidence that will need to be provided during a 4.0 assessment that was not previously requested and may not yet exist.
Benefit: Working with a QSA, such as FoxPointe Solutions, can help your organization identify the types of artifacts needing to be created, what data needs to be included, and provide a good starting point for the teams that will be providing the evidence down the road.
Contact FoxPointe Solutions
We hope you found this article insightful and if you have any doubts about your organization’s preparedness then we encourage you to contact us about performing a PCI DSS v4.0 Gap Assessment. Additionally, we are excited to announce the launch of our new PCI DSS v4.0 toolkit, a comprehensive set of policies and procedures designed to streamline and enhance your compliance efforts. To learn more about how FoxPointe Solutions can help your organization with security and compliance, please do not hesitate to contact me directly at rbigelow@foxpointesolutions.com or visit www.foxpointesolutions.com or contact us today.
FoxPointe Solutions, a division of The Bonadio Group, is a Qualified Security Assessor (QSA) company registered with the PCI Security Standards Council under Bonadio & Co. LLP.