Preparing for PCI DSS v4.0

The date when PCI DSS v4.0 becomes effective in 2024 will come all too fast. PCI DSS v4.0 was released in March 2022, but compliance with v4.0 will not be required until two years after its publication date. The extended transition period will allow organizations to migrate to the updated PCI Standard. In support of this, PCI DSS v3.2.1 will be active for 18 months after all PCI DSS v4.0 materials are released. When this transition period ends, PCI DSS v3.2.1 will be retired, and PCI DSS v4.0 will become the only active version. In addition to the 18-month period when PCI DSS v3.2.1 and PCI DSS v4.0 will both be active, there will be extra time for phasing in new requirements that are identified as “future dated” in PCI DSS v4.0.

Those working to upgrade their compliance environments may think they have ample time to resituate their controls. But with such significant changes, including the customized approach, you can’t start to prepare soon enough.

It’s imperative to start asking the most important question now: “What steps does my organization need to start taking to prepare for the transition?” 

Supporting data security by aligning your goals

The PCI SSC created the standardized compliance requirements to help organizations develop habits of data security best practices. The intent of the PCI DSS is for requirements to be consistently followed to better align, design, prioritize, implement and maintain goals that result in an effective, sustainable control environment. This intent may be more explicit than what was recommended in previous versions of the PCI Standard.

Since the release of PCI DSS v1.0 in 2004, most organizations continue to struggle with achieving and maintaining effective, sustainable payment card data security. Those that succeed in maintaining all their PCI DSS requirements year-round—rather than ongoing remediation for the sake of passing an annual assessment— implement a strategy and design based on sustainable, well-developed goals. That’s because once you clarify your goals, you can more easily implement a custom control and validation design. 

PCI DSS v4.0 places increased emphasis on this transition to security as a business-as-usual culture, including increased gathering of validation information over a period of time to encourage continuous security processes. 

Correcting the slow implementation of sustainable control environments

Payment card data is one of the most highly sought after data types by external and internal threat actors, because it’s one of the easiest data types to monetize. Yet, even within these highly sensitive environments, organizations remain slow to implement strategies that result in sustainable control effectiveness.

Many move into action only when: 

• There is a real pressure to improve, typically in the aftermath of a confirmed payment card data breach
• It finally becomes obvious to organization leadership that there’s no remedy within their existing security and compliance paradigm; they have tried everything else without results
• Professional help is introduced to help the CISO and steering committee accomplish first steps, with a clear outline of a how-to strategy that focuses on the right things, in the right manner, at the right time

Managers and their teams are generally so overwhelmed with security and compliance challenges that they tend to concentrate on corrective actions they know how to take—not necessarily ones that should be corrected. But PCI DSS v4.0 introduces requirements for ongoing compliance and improvements.

For the application of PCI DSS v4.0 to improve processes and be effective, organizations must first know what to change. Many different approaches to designing the management of a compliance program exist. The key question is: Which is most effective and efficient? 

To make those decisions, teams need a high-quality, repeatable process with a clear understanding of the correct priorities, and the requirements and conditions necessary to achieve the objectives that lead to the end goal.

As discussed in the previous section, it’s very important for organizations to carefully consider the actual goals of their GRC program, their security and compliance program strategy, and supporting programs. It requires time and effort to design goals and communicate them with clarity. This leads to the next important step in the process: the requirements for achieving the goals. Without clarity on what the success factors and necessary conditions are to attain the goals, organizations are far less likely to achieve them. On page 86, we discuss what the goal of a PCI security compliance program should be.

The lack of clear goals and a keen strategic defense plan leads to permeable security design. CISOs and security managers need to take time to mull over their organization’s specific needs and problem-solve solutions, rather than rush straight into implementing the new requirements. Each new and updated requirement should be carefully examined. Before project managers assign tasks to resources, they need to understand the scope of the project—the goals and objectives, their requirements and constraints..

Developing sustainable control design solutions

Well-designed data security and compliance solutions too often become secondary or tertiary considerations as security planners and technicians scramble to address staffing shortages and a plethora of email alerts. Annual compliance validation projects may be perceived as successful simply because controls not in place were remediated to receive the coveted final annual DSS Report on Compliance (ROC). This approach falls far short of meeting the intent of the PCI DSS.