{"id":1,"date":"2022-09-04T23:37:00","date_gmt":"2022-09-05T04:37:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=1"},"modified":"2022-09-03T21:55:43","modified_gmt":"2022-09-04T02:55:43","slug":"hello-world-pci-payment-card-industry-qsa","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/","title":{"rendered":"Hot, hot, hot . . . Hot Topic! (PCI version 4)"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\">Hot, hot, hot . . . Hot Topic! (PCI version 4)<\/h4>\n\n\n\n<p>If you read the title to this blog to the cadence of the hot chocolate song from the Polar Express, well done \u2013 you win!\u00a0 I have no idea what you won, so let\u2019s just call it bragging rights.\u00a0 Ok, enough of me and my strange sense of things, let\u2019s get on to the actual \u201cHot Topic\u201d, PCI DSS v4.\u00a0 For those wondering, \u201cWhat does that actually mean\u201d, well \u2013 Payment Card Industry Digital Security Standards version 4.\u00a0 Now you can go out and impress your friends with that bit of trivia.\u00a0 Ok, back on topic.\u00a0 The most talked about subject in the realm of IT security assurance is the upcoming release of new payment card security standards.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Should I be panicking and becoming a cash only business?<\/h4>\n\n\n\n<p>ABSOLUTELY \u2013 not!&nbsp; The current economic structure makes it almost impossible to run a business and generate revenue sufficient to paying your expenses in a timely manner without the use of credit card transactions.&nbsp; The ability to barter and trade for goods and services is an art that has been lost to the ages.&nbsp; Even mom and pop businesses (what we used to call small individually owned family businesses) are able to accept card payments with little effort on their part, thanks to the likes of Square and Paypal acting as a processing partner. So the short answer is \u2013 No, don\u2019t panic or worry.&nbsp; We will get through this together.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">What is THE biggest change coming from version 4?<\/h4>\n\n\n\n<p>This is a complicated answer.&nbsp; A lot has changed and what is the biggest for one entity may have little to no impact on others.&nbsp; Overall if I had to list what I believe to be the overall most impactful changes within PCI v4, compared to the current version (3.2.1) it would be one, or both of the following:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\"><li>A focus on ownership and accountability.&nbsp; Each of the 12 sections of requirements within the DSS has always started off with \u201cwhat is the policy\/standard used to govern this area and does it do so in a PCI compliant manner?\u201d&nbsp; This hasn\u2019t changed but they have added a sub requirement to also specify who owns these processes and standards.&nbsp; Who is the member of management responsible for controlling the requirements in each section and who is the person responsible for making certain the daily requirements are followed.&nbsp; For those companies that have been focused on strong governance to build a robust security culture this will most likely already be documented.&nbsp; For those companies that take IT security as something the \u201cIT people handle\u201d, this will be a cultural shift.&nbsp; The days of IT security and security assurance being run out of that dark closet in the basement by lads named Roy and Moss are coming to an end.&nbsp; The threat landscape continues to evolve faster than the defensive posture of most companies and we are well past the time that a secure culture is prioritized in most, if not all companies.<\/li><li>Management of the assurance process.&nbsp; What does this mean exactly?&nbsp; Well, it means that if you are reading the DSS, and it says you must have \u201cinsert requirement here\u201d to be compliant, but you think for your environment you have a better way that provides more security and functionality for your specific environment \u2013 you can now do it your way.&nbsp; HOWEVER, before you run down this rabbit hole you need to be very mindful of what it truly entails.&nbsp;&nbsp; The introduction of the \u201ccustomized approach\u201d at first glance looks like an invitation to ignore the security standards and just do things your way.&nbsp; To quote a great general of my time, \u201cIt\u2019s a trap.\u201d&nbsp; Now, I\u2019m not saying the council is setting you up for failure with this, what I mean to say is that line of thought is the trap.&nbsp; The amount of work needed to use the customized approach is significantly higher than the standard way of achieving compliance.&nbsp; For EACH requirement that you wish to do the customized approach with you must do a validated targeted risk assessment. (On top of the one already required and each one is specific to the individual requirement and must be done prior to the start of the assessment.)&nbsp;<\/li><\/ol>\n\n\n\n<p>There are some other changes, some of them significant but these are the ones that I feel are the most widespread.&nbsp; We will talk about the other changes coming with version 4 via future blogs and podcasts, so don\u2019t worry.&nbsp; We will cover it all.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Ok, so break it all down for me.&nbsp; How do I prepare for v4?<\/h4>\n\n\n\n<p>The initial steps are like any other issue or change in the environment.\u00a0 Educate yourself.\u00a0 Seek out blogs on topics you feel need improvement.\u00a0 Read other posts, find podcasts, videos, articles.\u00a0 The council website (<a href=\"https:\/\/www.pcisecuritystandards.org\/document_library\/\">https:\/\/www.pcisecuritystandards.org\/document_library\/<\/a>) has a lot of great information.\u00a0 Once you feel like you have a decent understanding of the v4 requirements start looking over your environment to see how it impacts your day-to-day operations.\u00a0 When you identify areas that are lacking, create a workstream for a project.\u00a0 Some of these will be for upgrades to processes, etc and others will be for the customized approach (and unfortunately some will be for compensating controls.)<\/p>\n\n\n\n<p>If this sounds like a large amount of work, then that is good.\u00a0 Take PCI seriously and do the work thoroughly.\u00a0 Remember the goal is NOT to be PCI compliant but rather to be as secure as possible, with PCI compliance being one of your KPIs that you are achieving your goals.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Conclusion<\/h4>\n\n\n\n<p>I know we only scratched the surface on PCI DSS v4, but to discuss it all would require me to write you a book (you are welcome to print out the blogs on the topic and put them in a folder if that is what you desire \u2013 I will be truly flattered).\u00a0 If you feel as though the change is too much, we understand.\u00a0 Those of us here at TBF work in IT security assurance, governance, and data privacy full time and it is a lot for us to take in as well, so know that you are not alone in that feeling.\u00a0 However, it is manageable with the proper processes and planning in place.\u00a0 There are also other consultants out there who can help you (and will do so gladly).\u00a0 <\/p>\n\n\n\n<p>Find someone that you trust and will take the time to get to know you, your environment, and your company\u2019s threat appetite to work with you on the preparation and transition over to v4.\u00a0 You have all of 2023 to get the work done, so while there isn\u2019t time to waste you have time to plan and take action.<\/p>\n\n\n\n<p>As always, if you have any questions reach out to us via social media or our contact information listed on the website.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Thanks for reading.&nbsp; Talk to you soon!<\/h4>\n\n\n\n<p>Shawn Adams &#8211; @TBF_shawn (twitter)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hot, hot, hot . . . Hot Topic! (PCI version 4) If you read the title to this blog to the cadence of the hot chocolate song from the Polar Express, well done \u2013 you win!\u00a0 I have no idea what you won, so let\u2019s just call it bragging rights.\u00a0 Ok, enough of me and &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hot, hot, hot . . . Hot Topic! (PCI version 4)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,5,7,6],"tags":[],"class_list":["post-1","post","type-post","status-publish","format-standard","hentry","category-assurance","category-pci","category-shawn","category-version-4"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI<\/title>\n<meta name=\"description\" content=\"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI\" \/>\n<meta property=\"og:description\" content=\"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-05T04:37:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Hot, hot, hot . . . Hot Topic! (PCI version 4)\",\"datePublished\":\"2022-09-05T04:37:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/\"},\"wordCount\":1204,\"commentCount\":76,\"articleSection\":[\"Assurance\",\"PCI\",\"Shawn\",\"version 4\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/\",\"name\":\"Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-09-05T04:37:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"description\":\"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/09\\\/04\\\/hello-world-pci-payment-card-industry-qsa\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hot, hot, hot . . . Hot Topic! (PCI version 4)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI","description":"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/","og_locale":"en_US","og_type":"article","og_title":"Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI","og_description":"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-09-05T04:37:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Hot, hot, hot . . . Hot Topic! (PCI version 4)","datePublished":"2022-09-05T04:37:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/"},"wordCount":1204,"commentCount":76,"articleSection":["Assurance","PCI","Shawn","version 4"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/","name":"Hot, hot, hot . . . Hot Topic! (PCI version 4) - Shawn&#039;s Blog PCI","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-09-05T04:37:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"description":"Brief introduction to start a new series outlining the upcoming changes expected in PCI PCI v4. This is the first installment of the series.","breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/04\/hello-world-pci-payment-card-industry-qsa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Hot, hot, hot . . . Hot Topic! (PCI version 4)"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/1","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=1"}],"version-history":[{"count":4,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/1\/revisions"}],"predecessor-version":[{"id":20,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/1\/revisions\/20"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}