It’s time for your organization to take action and transition to PCI DSS v4.0 Compliance. The Payment Card Industry Data Security Standard (PCI DSS) has recently been updated to version 4.0, introducing significant changes to the standard. Organizations can now choose to be evaluated against the previous version, 3.2.1, or migrate to the new 4.0 version.
How long have I got left?
PCI DSS v4.0, released in March 2022, made significant changes to PCI DSS, helping organizations meet the evolving needs of the payment security sector. There is a greater focus on security as a continuous process and increased flexibility in how organizations meet the requirements.
While PCI DSS v3.2.1 remains valid until 31 March 2024, it is highly recommended that organizations begin their journey towards PCI DSS v4.0 as soon as possible.
This newer version, released in March 2022, introduces a continuous security process and provides increased flexibility in meeting the requirements.
Source: PCI Security Standards Council
The importance of the transition period
The transition period has proven vital for organizations, allowing them to fully understand the new and updated requirements before implementing any necessary changes.
At CSA, we recognize the importance of this period and have been actively assisting clients in navigating the transition.
How can CSA help you?
To illustrate how CSA can help organizations during this shift, we present two case studies showcasing effective preparation strategies.
Case Study 1: National Service Provider in The Energy Sector
In this case study, a national service provider in the energy sector engaged CSAto assist in completing their Self-Assessment Questionnaire. During the engagement, CSA consultants provided insights into the upcoming PCI DSS requirements for the next year and detected that whilst they operated as a service provider, their environment resulted in several requirements of the standard deemed ‘Not Applicable’, which is excellent news for an organization. However, with the requirements that were still ‘Applicable’ and the introduction of PCI DSS v4.0, the CSA experts identified that the client would likely see an increase in requirements and obligations. To address this issue, CSA provided options and identified and recommended a solution to use a hosted payment page, which would reduce their scope and obligated requirements.
This would likely incur a cost to the organization in the short term, but it would result in long-term benefits such as:
- Reduce the efforts required to meet the standards
- Reduce the costs of consultancy services due to less time required for assessments
- Increase security
- Protecting the customers from fraud
- Identity theft, and more…
Additionally, the evolution in methods an organization might use to comply presented an opportunity. The client’s Chief Information Security Officer (CISO) had grown frustrated with the limited methods in which they may employ penetration methods. The previous standard 3.2.1, only allowed official penetration tests and restricted the ability to employ separate varieties of similar tools and alternatives such as Bug Bounty programs.
On the other hand, the introduction of the Customized Approach in version 4.0 creates the opportunity for an organization with a mature and robust security posture to meet the intent of a requirement in an appropriate way that suits their business best. Whilst this introduces and places great importance on separate annual activities, e.g., a Targeted Risk Analysis (TRA) relating to the control implementation, it also creates greater flexibility. To understand how to customize your approach to PCI DSS version 4.0 to fit your company requirements best, check out PCI DSS v4.0: The Customized Approach, where CSA dives into this topic.
Case Study 2: Global Sports and Entertainment Organization
In another case study, the CISO of a global sports and entertainment organization sought help from CSA to manage their requirements within SureCloud’s GRC platform. The organization followed a 12-months program to meet a whole host of PCI DSS requirements previously thought were in-scope for their organization. Parallel to this, CSA consultants provided a scope validation and gap assessment. Due to some of the work they had performed, it was discovered that they had indeed de-scoped a huge amount of their environment by introducing methods like the case study above is investigating. Having done the ‘hard work’, the implementation of the rest of the controls came quite easily to them. Once they successfully undertook their first annual PCI assessment, it was then suggested that they look at version 4 promptly and not delay the implementation of any new controls. One of CSA’s experts provided a workshop which involved several stakeholders from key departments.
During the workshop, it was discussed the following:
- An overview of the new PCI DSS Version 4
- The current position of where they are today in terms of control compliance
- What would be the key differences, and what additional controls are applied to their scope
Following this workshop, a roadmap to compliance was created for the organization to follow and implement.