Written by Gary Watts and Allen Baranov, Governance, Risk and Compliance 12 March 2024
As our recent blog ‘PCI DSS 4.0 – What do I need to know?’ outlined, from Sunday 31 March 2024 PCI DSS 3.2.1 will be retired and organisations will need to transition to and report against the new PCI DSS version 4.0.
To help with the transition to PCI DSS version 4.0 (v4.0), CyberCX recommends the following six steps you should undertake before conducting an assessment of your payment processes against version 4.0 of the standard.
1. Understand the new requirements
2. Document and validate your PCI scope
3. Undertake a gap assessment and develop a roadmap
4. Educate your personnel
5. Implement the roadmap
6. Test the effectiveness of security controls
Step 1 – Understand the requirements
PCI DSS v4.0 brings 64 new requirements along with approximately 100 changes to existing requirements to address evolving threats or provide clarification and additional guidance. It is essential that teams managing an organisation’s PCI compliance understand the changes, the impact to their organisation and their roles and responsibilities for securing the organisation’s data.
Engaging a Qualified Security Assessor (QSA) to assist with interpreting the new standards and their applicability to your organisation can significantly reduce the risk of non-compliance and rework during your transition to PCI DSS v4.0.
Step 2 – Document and validate your PCI scope
Understanding your PCI scope, the roles and responsibilities of your organisation and service providers and your reporting requirements is critical to any PCI DSS assessment. Based on our experience, incorrectly scoping the organisation’s environment and not validating that segmentation controls are operating effectively are two significant contributors leading to either an organisation wasting time and resources on unnecessary activities or risking being found not to be compliant during a PCI DSS assessment. Non-compliance could lead to increased fees or penalties.
To address this requirement, PCI DSS v4.0 now includes Requirement 12.5.2 for organisations to document and validate their PCI DSS scope at least annually and after any significant change.[1] This includes:
- Identifying and documenting account data flows
- Identifying and documenting where account data is stored, processed, and transmitted
- Identifying and documenting systems and components
- Identifying and documenting segmentation controls
- Identifying and documenting 3rd party connections
By documenting and validating your PCI DSS scope, you are building a solid foundation to build your PCI DSS compliance program.
Step 3 – Undertake a gap assessment and develop a roadmap
Once you understand the PCI DSS v4.0 requirements, conduct a gap assessment to identify your organisation’s current level of compliance with the standard and areas where controls may be deficient or missing. Engaging a QSA to assist with validating your defined scope and evaluation of requirements can help support consistent understanding and application of the requirements.
Based on the result of the gap assessment, your organisation will be able to develop a roadmap allowing prioritisation of transition and remediation effort and resources. Many of the new requirements are best practice until 31st March 2025 and compulsory thereafter. This delay allows organisations time to identify and plan for their implementation now as part of a developed roadmap.
Step 4 – Educate your personnel
It is essential to educate and train your people about their role in keeping your data secure and meeting the requirements of the PCI DSS. For each high-level requirement in the PCI DSS v4.0, there are one or more sub requirements to document and assign roles and responsibilities for performing activities associated with the requirement and ensuring they are understood by your people.
Establishing roles and responsibilities allows you to identify any skills or knowledge gaps. Security education and training requirements for your people, particularly in relation to phishing attacks and acceptable use of systems, are updated in v4.0. This may require organisations to update their security awareness programs.
Step 5 – Implement the roadmap
When implementing the roadmap and associated security controls, ensure the controls are incorporated in business-as-usual (BAU) processes to help ensure long-term continuous compliance. When incorporated into BAU processes, organisations can more readily avoid recurring cycles of short-term compliance followed by periods of non-compliance and short-term remediation activities as part of annual audit cycles.
Select technologies and solutions that have been tested and validated against security standards for the protection of payment data including Point-to-Point Encryption (P2PE) Solutions, Validated Payment Software, and Approved PIN Transaction Security (PTS) Devices. Similarly, use validated service providers for payment related services and services which could affect the security of the PCI environment.
Step 6 – Test the effectiveness of security controls
The new standard emphasises the importance of security as a continuous process and that PCI compliance and cyber security are not just annual activities. To ensure security controls remain effective, it is important that they are tested both regularly and after significant changes to the environment.
PCI DSS v4.0 will potentially require changes to existing security controls or the implementation of new security controls. This means that testing as part of a transition plan is essential and will help avoid potential non-compliant findings at the time of your annual assessment. In addition, the effectiveness of key security controls such as segmentation, access management, vulnerability management and logging should be monitored on a regular ongoing basis.
For more risk mature organisations, consider incorporating testing of security controls into an information security management system (ISMS) to monitor and evolve security controls in line with changes to the organisation.
Summary
While every organisation’s journey towards compliance with PCI DSS v4.0 will be different, by following the six steps outlined in this blog you can develop an effective transition plan.
For additional information, join CyberCX’s PCI DSS v4.0 webinar on the 21st March or talk to one of our Qualified Security Assessors (QSAs).
[1] https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/What-is-meant-by-significant-change-in-PCI-DSS/
