Hot, hot, hot . . . Hot Topic! (PCI version 4)

Hot, hot, hot . . . Hot Topic! (PCI version 4)

If you read the title to this blog to the cadence of the hot chocolate song from the Polar Express, well done – you win!  I have no idea what you won, so let’s just call it bragging rights.  Ok, enough of me and my strange sense of things, let’s get on to the actual “Hot Topic”, PCI DSS v4.  For those wondering, “What does that actually mean”, well – Payment Card Industry Digital Security Standards version 4.  Now you can go out and impress your friends with that bit of trivia.  Ok, back on topic.  The most talked about subject in the realm of IT security assurance is the upcoming release of new payment card security standards.

Should I be panicking and becoming a cash only business?

ABSOLUTELY – not!  The current economic structure makes it almost impossible to run a business and generate revenue sufficient to paying your expenses in a timely manner without the use of credit card transactions.  The ability to barter and trade for goods and services is an art that has been lost to the ages.  Even mom and pop businesses (what we used to call small individually owned family businesses) are able to accept card payments with little effort on their part, thanks to the likes of Square and Paypal acting as a processing partner. So the short answer is – No, don’t panic or worry.  We will get through this together.

What is THE biggest change coming from version 4?

This is a complicated answer.  A lot has changed and what is the biggest for one entity may have little to no impact on others.  Overall if I had to list what I believe to be the overall most impactful changes within PCI v4, compared to the current version (3.2.1) it would be one, or both of the following:

  1. A focus on ownership and accountability.  Each of the 12 sections of requirements within the DSS has always started off with “what is the policy/standard used to govern this area and does it do so in a PCI compliant manner?”  This hasn’t changed but they have added a sub requirement to also specify who owns these processes and standards.  Who is the member of management responsible for controlling the requirements in each section and who is the person responsible for making certain the daily requirements are followed.  For those companies that have been focused on strong governance to build a robust security culture this will most likely already be documented.  For those companies that take IT security as something the “IT people handle”, this will be a cultural shift.  The days of IT security and security assurance being run out of that dark closet in the basement by lads named Roy and Moss are coming to an end.  The threat landscape continues to evolve faster than the defensive posture of most companies and we are well past the time that a secure culture is prioritized in most, if not all companies.
  2. Management of the assurance process.  What does this mean exactly?  Well, it means that if you are reading the DSS, and it says you must have “insert requirement here” to be compliant, but you think for your environment you have a better way that provides more security and functionality for your specific environment – you can now do it your way.  HOWEVER, before you run down this rabbit hole you need to be very mindful of what it truly entails.   The introduction of the “customized approach” at first glance looks like an invitation to ignore the security standards and just do things your way.  To quote a great general of my time, “It’s a trap.”  Now, I’m not saying the council is setting you up for failure with this, what I mean to say is that line of thought is the trap.  The amount of work needed to use the customized approach is significantly higher than the standard way of achieving compliance.  For EACH requirement that you wish to do the customized approach with you must do a validated targeted risk assessment. (On top of the one already required and each one is specific to the individual requirement and must be done prior to the start of the assessment.) 

There are some other changes, some of them significant but these are the ones that I feel are the most widespread.  We will talk about the other changes coming with version 4 via future blogs and podcasts, so don’t worry.  We will cover it all.         

Ok, so break it all down for me.  How do I prepare for v4?

The initial steps are like any other issue or change in the environment.  Educate yourself.  Seek out blogs on topics you feel need improvement.  Read other posts, find podcasts, videos, articles.  The council website (https://www.pcisecuritystandards.org/document_library/) has a lot of great information.  Once you feel like you have a decent understanding of the v4 requirements start looking over your environment to see how it impacts your day-to-day operations.  When you identify areas that are lacking, create a workstream for a project.  Some of these will be for upgrades to processes, etc and others will be for the customized approach (and unfortunately some will be for compensating controls.)

If this sounds like a large amount of work, then that is good.  Take PCI seriously and do the work thoroughly.  Remember the goal is NOT to be PCI compliant but rather to be as secure as possible, with PCI compliance being one of your KPIs that you are achieving your goals.

Conclusion

I know we only scratched the surface on PCI DSS v4, but to discuss it all would require me to write you a book (you are welcome to print out the blogs on the topic and put them in a folder if that is what you desire – I will be truly flattered).  If you feel as though the change is too much, we understand.  Those of us here at TBF work in IT security assurance, governance, and data privacy full time and it is a lot for us to take in as well, so know that you are not alone in that feeling.  However, it is manageable with the proper processes and planning in place.  There are also other consultants out there who can help you (and will do so gladly). 

Find someone that you trust and will take the time to get to know you, your environment, and your company’s threat appetite to work with you on the preparation and transition over to v4.  You have all of 2023 to get the work done, so while there isn’t time to waste you have time to plan and take action.

As always, if you have any questions reach out to us via social media or our contact information listed on the website.

Thanks for reading.  Talk to you soon!

Shawn Adams – @TBF_shawn (twitter)

12 Replies to “Hot, hot, hot . . . Hot Topic! (PCI version 4)”

  1. Thank you for any other wonderful article. Where else may just anybody get that type of info in such an ideal manner of writing? I’ve a presentation next week, and I’m at the search for such information.

  2. I am really enjoying the theme/design of your weblog. Do you ever run into any internet browser compatibility issues? A few of my blog audience have complained about my site not operating correctly in Explorer but looks great in Opera. Do you have any suggestions to help fix this issue?

  3. I think this is among the most significant information for me. And i am glad reading your article. But should remark on few general things, The site style is great, the articles is really nice : D. Good job, cheers

  4. Thank you for the good writeup. It actually was a leisure account it. Glance complicated to far added agreeable from you! By the way, how can we keep up a correspondence?

Leave a Reply

Your email address will not be published. Required fields are marked *