PCI DSS 4.0: How to Ensure You're in Compliance

PCI DSS 4.0: How to Ensure You're in Compliance

Trust is at the heart of every credit card transaction. When customers provide a company with their credit card information, they trust that their data will be processed, stored, and transmitted securely. To ensure that businesses meet that expectation, Visa, MasterCard, American Express Discover, and JCB, alongside the PCI Security Standards Council, created the Payment Card Industry Data Security Standard or PCI DSS for short.

PCI DSS v4.0 was officially released in March 2022. To help ensure smooth adoption, the previous standard, PCI DSS v3.2.1, will remain in place for two years after supporting materials related to PCI DSS v4.0 are released. During this period, the PCI Security Standards Council recommends that organizations use the time to study v4.0, review and update their templates and forms accordingly, and focus on adopting changes to comply with the standard. Consult the PCI DSS v4.0 Resource Hub for a summary of the changes between PCI DSS v3.2.1 to v4.0, an “at a glance” overview of the new standard, and additional documents and educational resources to help organizations become familiar with PCI DSS v4.0. This article provides four steps to help your organization revisit its ability to comply with PCI DSS v3.2.1 and prepare for PCI DSS v4.0.

Source: PCI DSS v4.0 Implementation Timeline, www.pcisecuritystandards.org.

How to Ensure You’re in Compliance with PCI DSS v4.0 — and Beyond

By following four key steps — familiarize yourself with the next version of the standard, conduct a current state analysis of your compliance with PCI DSS, identify and resolve shortcomings quickly, and embrace the need for continuous improvement — your organization can ensure compliance with PCI DSS in its current form and as it evolves.

 1. Familiarize yourself with the next version of the standard

Ensuring compliance with a new compliance regime starts with an in-depth review of the latest version of the standard. Make sure you understand what’s being removed, added, and the overall changes to determine how these might impact your business and ability to comply. Of the changes in PCI DSS v4.0, two that stand out involve implementation and authentication. 

Custom Implementation: PCI DSS v4.0 introduces customized implementation, allowing organizations to develop their own security controls to satisfy an objective. Custom implementation is when a control objective is met through the intent of the requirement, but not performing the control as written. Overall, this means that the PCI DSS requirements are no longer prescriptive, and gives businesses increased flexibility around the control procedures and how requirements are met. For external assessors, PCI-DSS v4.0 documentation will need to be thoroughly reviewed, and each control tested for operational effectiveness with relation to how it uniquely supports the business. For most organizations, this change will require a shift in how they approach their PCI compliance effort. Organizations will be directly impacted by the use of custom implementation procedures without business or technical justification to meet the intent of any control.

Authentication: Another focal point for the new changes coming to PCI-DSS v4.0 is authentication. Specifically v4.0 aims to use NIST password guidelines to apply stronger authentication standards for access. Security groups will need to assess how these password standards will be implemented across their organization. NIST provides recommendations to ease user-burden and reduce the chance of human error opening vulnerability to cyberattacks. Organizations will need to reevaluate their current passwords to ensure that they are meeting the updated requirements.

Since PCI DSS v3.0 was released, there has been a large transition to cloud computing. PCI DSS v4.0 changes will include enhanced methodology to effectively evaluate whether controls related to the cloud are implemented and operating effectively. 

2. Conduct a current state analysis of your compliance with PCI DSS.

Before complying with a new standard, ascertain your compliance with the existing standard. This assessment is critical as most compliance standards use the previous standard as the foundation for subsequent releases. Consider organizing your assessment by analyzing people, process, and technology. 

  • People: A thorough assessment of people can mitigate the likelihood of a threat (insider, bad actor) from exploiting cardholder data. PCI DSS v3.2.1 requires limiting access to cardholders’ data on a need-to-know basis. While this is a basic requirement, if it is not currently in place, it will hinder your organization’s ability to comply with PCI DSS v4.0. 
  • Process: It is also vital to understand your current process for risk and compliance. For example, user access reviews (UAR) are important control procedures to perform on a recurring frequency to identify and review privileged accounts across your organization’s systems, or applications. It’s critical not only for security and IT leaders, but all employees, to be self-aware of the role they play in maintaining confidentiality, integrity, and availability of sensitive information. 
  • Technology: Consider assessing your organization’s technology across the enterprise. PCI DSS v4.0 focuses on security as a continuous monitoring activity. Implementing the right integrated compliance management software can position your organization to effectively mitigate risk to your network, infrastructure, and data.

3. Identify and resolve shortcomings quickly.

There will be a transition period to help organizations prepare, and you should use that time wisely to remediate any shortcomings identified by your current state analysis. Ensure there’s a sense of urgency and clear ownership of problems and their timely resolution. For example, PCI DSS v3.2.1 requires limiting physical access to cardholder data. If your organization lacks a physical access control system, identifying and installing a suitable solution will take time.

Effective Third-Party Risk Management: Key Tactics and Success Factors

 4. Embrace the need for continuous improvement.

One of the stated goals of PCI DSS v4.0 is to promote security as a continuous process. Threats evolve at a far faster rate than the rules and regulations to mitigate the risk. Whether it involves compliance with PCI DSS v4.0 or another rule or regulation, adopting a continuous improvement mindset can help uncover control gaps and weaknesses before insiders or third parties exploit them.

When it comes to compliance, change is constantly on the horizon. Compliance with PCI DSS is crucial to retaining your customers’ trust, avoiding the inadvertent loss or exposure of sensitive credit card information, and thwarting the never-ending stream of attacks from cybercriminals. The steps provided above can help your organization prepare for the evolution of PCI DSS standards and pave the way for compliance. While striving for continuous improvement, having the right technology in place makes the process far more efficient and organized. AuditBoard’s CrossComply enables organizations to use the Unified Compliance Framework (UCF) to perform real-time gap assessments against their environment and the PCI DSS framework. By streamlining workflow capabilities to perform the necessary self-assessments, your business will be ready to comply with the updated PCI DSS v4.0 standard. 

Elliott Bostelman

Elliott Bostelman, CDPSE, is a Manager of Compliance Solutions at AuditBoard. Elliott joined AuditBoard from Deloitte, where he provided consulting services over information security management, risk advisory, and GRC implementation & modernization. He also serves in the US Army Reserves, focusing on cyber operations, network defense, and information technology. Connect with Elliott on LinkedIn.

Madison Dreshner

Madison Dreshner, CISA, is a Manager of Compliance Solutions at AuditBoard. Madison joined AuditBoard from PwC, where she specialized in external reporting for a wide array of clients, including SOC 1 & 2 reporting, as well as SOX compliance. Connect with Madison on LinkedIn.

Related Articles