1-877-297-7816
Contact Sales

PCI DSS v4.0 navigational points

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

      1. Do not delay.
        Organizations should not delay preparations to meet the requirements of PCI DSS v4.0. It would be a mistake to believe that it’s not necessary to start your preparations early, even if your organization is fully compliant with PCI DSS v3.2.1.
      2. Start strong—meet PCI DSS v3.2.1 requirements.
        Start from a position of strength. Determine the extent to which you are, or aren’t, following the defined approach for each requirement applicable to your CDE. Evaluate the robustness and resilience of your control systems. Improve your capability to very quickly detect and correct control failures. Determine if each of the requirements is truly meeting the stated security objective of the requirement.
      3. Understand the PCI DSS v4.0 requirements.
        Review all the PCI DSS v4.0 requirements carefully, taking note of changed controls, controls that were removed, new controls, renumbered controls and future-dated controls. Ensure that you understand the control objective and intent of each requirement in the context of the entire PCI Standard. The biggest impact is within Key Requirements 12, 11, 10 and 8 (ranked in order of impact).
      4. Choose your control design and compliance validation option wisely.
        Selecting the customized approach may initially require an increased workload to prepare for the compliance validation of tailored security controls. It could potentially increase control risk, but also offer a more robust, permanent security control solution when compared to a defined approach with compensating controls that require documented justification of a business or technical constraint. (Refer to the 2018 PSR, pages 23 and 41, for examples of how to measure control effectiveness.) Customized controls, as with traditional defined controls, need to show consistent operating effectiveness over long periods of time, without interruption, to meet the objective and intent.
      5. Take care when selecting a customized approach.
        If you opt to follow the customized approach for any portion of your environment, you need to be prepared to manage the scope of work it requires. Controls should be designed to be effective and sustainable within their operating environment. Also, customization requires structured and detailed documentation. Documented evidence should be maintained to substantiate that controls meet the intent of the relevant security objective(s). Whoever gets the job of internally reviewing control effectiveness prior to external validation should be proficient and look at competence, maturity and testing as three key elements. This work is needed for the actual achievement of the task—for controls to be validated and approved.
      6. Use control design and management templates.
        The importance of assessing control effectiveness regularly is obvious. Creating control design documentation in a structured manner is immensely useful but can be time consuming. Developing and consistently applying a standardized control template that generates a control design profile for each required security control or control system is a best practice recommendation for all organizations, particularly if you’re opting to implement a customized control approach. (See additional details under “The necessity and value of control design templates” below.)
      7. Do early validation of control designs.
        Control designs should be shared with assessors (ISAs and QSAs) at the earliest opportunity during the design process to determine if the controls are acceptable to meet the related requirements and security objectives. Without thorough documentation that details the “what,” “when” and “how to” of the design, function, operation, maintenance and evaluation of controls, the approval of a customized control approach could be delayed.
      8. Prepare for ongoing compliance.
        It’s important to define the requirements and constraints for your security team to support the design, implementation and maintenance of ongoing compliance. This requires capacity planning and commitment for teams to support this process, to regularly evaluate, document and report on the control status of the environment throughout the year. The internal recording of evidence of compliance with the PCI DSS should be an ongoing business-as-usual activity.

  • The necessity and value of control design templates

    The use of tailored security control design templates to create and maintain documented control profiles is not, surprisingly, a common security architecture and management task followed by organizations. Using templates provides substantial benefits for control system improvement, including the ease, transparency and consistency they provide in designing, deploying, operating and maintaining controls. Templates assist in the clarification of functional control specification, and early detection of control design and control operation issues. A complete set of documented security control profiles also contributes toward the effectiveness and strength of the control environment, providing much-needed perspective on control purpose, function and operational limitations. 

    In general, a PCI DSS control profile document should be prepared for each control system and critical individual controls. Typically, it includes the following 12 items:

      1. Control objective
        Defines the applicable control objective(s) of the control or control system and its contribution toward the overall goal
      2. Control owner
        Assigns ownership of, accountability for and responsibilities over the control or control systems
      3. Control function
        Describes the control function, such as management, procedural, or technical and functional boundaries
      4. Control type(s)
        Describes the applicable control types, such as preventative, detective, corrective or directive—or a combination
      5. Architecture
        Defines the control architecture, such as system-specific, common or hybrid, and its contextual application
      6. Control risk
        Describes key risks that the control mitigates, such as using control-to-risk matrix or mapping
      7. Control testing
        Describes or references all applicable, related control test procedures and standards for the control and control system
      8. Implementation
        Specifies implementation scope, control, procedure and dependencies—listing the primary PCI DSS controls and all dependent PCI DSS controls
      9. Operation
        Documents control operation specifications and defines scope, processes, operational dependencies, supporting processes and control support requirements, as well as component impacts on people, systems, processes and third parties
      10. Maintenance
        Defines control maintenance specifications, scope, and maintenance standards and processes
      11. Performance metrics
        Provides a list of PCI DSS key performance indicators (KPIs) and other metrics to measure control performance
      12. Governance
        References related policies, standards, frameworks and regulations

  • (For more details on documenting control profiles, see the 2018 Payment Security Report, page 12.)51

  • Maintaining control design profiles can have a substantial positive impact on the quality of controls and the control environment. Clear control design and operation specifications establish context and perspective on control performance expectations; identify and communicate design limitations; and list the operating and maintenance requirements of key control systems. Without clearly documented and communicated control profiles, security and compliance teams may lack sufficient direction for early detection and correction of deviations, which could result in control failure. In general, the more detailed the design profiles, the tighter (consistent and robust) the control, and more predictable the performance. 

    The overall outcome of a managed control design process is to enable and promote control effectiveness in terms of consistent, complete, reliable and timely operation. 

    Worth repeating

    Control design requires a systematic method. The PCI DSS defines a set of dependent and interdependent controls that requires customization to every unique control environment in order to be truly effective and sustainable. Without a deliberate and systematic method for control design, the strength of each implemented control depends mostly on the enthusiasm and limited capabilities of the team or person tasked with its implementation, not the actual establishment and measurement of control strength and sustainability requirements that conform to industry and internal standards.

    Gaps typically exist in areas of control dependency. There is no single PCI DSS control that operates and achieves its objectives independent of all other controls in the Standard. This point is so important that it’s worth repeating. The problems associated with organizations implementing out-of-the-box PCI DSS controls are well known. People assume that controls will work well and do not need design, refinement and management as part of a control system. Yet, things often have to go wrong before organizations take action and actually evaluate control designs and implement supporting processes to make sure the controls operate as intended and in a sustainable manner.

    Procedures often have to fail before organizations take action and actually evaluate control designs and implement supporting processes to make sure the controls operate as intended and in a sustainable manner.


    When conducting a compliance validation assessment, QSAs are often surprised by how organizations willingly tolerate routine security control operation and design errors. In such cases, management often continues to accept low but persistent levels of control and compliance errors as inevitable and acceptable, even when they are not difficult to avoid.

    Project management is key for a successful transition to PCI DSS v4.0.

    In the 2020 PSR, we emphasized that no PCI security program should be implemented without having a strategic plan in place. It’s essential to develop, define and clearly communicate the sense of purpose of the program— the prioritized goals and objectives, and how resources will be directed toward a clear goal. All stakeholders should operate with clear direction and consistent coordination among teams.

    Surprisingly, what we see in organizations that fail to maintain their PCI DSS controls, even those assessed multiple years, is that maintaining firm control over program and project management is still a challenge. Since PCI DSS 4.0 will require widespread changes for most organizations, all are advised to apply and adhere to fundamental project management principles. In the past, with each major update to PCI DSS, the risk of producing work based on invalid assumptions was increased, such as misinterpretation of DSS security controls, duplication of efforts, etc. This can and should be avoided.

    It’s puzzling to learn how common it is for many organizations to initiate annual PCI security projects with little to no change implementation plan. A change implementation plan—which isn’t separate from the project plan but is part of it—increases cooperation across all teams, supports buy-in and ensures change actions are undertaken by relevant people.

    Also in the 2020 PSR, we discussed at length Trap 4, “Falling short on sound strategic design,” and Trap 5, “Deficient strategy execution.” A good strategic plan for your security compliance program won’t do any good without appropriate structure, process and organizational alignment to ensure leadership support, real commitment and adequate communication. The initiation of a PCI security project should be preceded by confirmation of the overall security and compliance goals and objectives, followed by a revisiting of security and compliance strategy (the approach to direct resources to achieve the goals) and alignment with supplemental frameworks. All PCI security projects should be managed as part of a long-term program. 

    At a high level, four basic program and project management steps are sometimes overlooked that can help support a successful PCI DSS 4.0 implementation.

    Step 1: Sponsorship and accountability

    The accountability for the success of a PCI DSS project should not reside in one individual acting as the sole sponsor. Every manager with direct reports that participates in the project or is impacted by the project should share responsibility and proportional accountability for the success of the project. Commitment and active participation are of vital importance to the functioning of a project team. A change implementation plan should have an explicit strategy for securing a formal level of commitment at the beginning, middle and end of the project life cycle.

    Step 2: Readiness

    Project readiness measures and reports the state of preparedness to ensure a project is primed for development, implementation and execution to completion as planned. Building readiness is not a check-thebox activity that gets crossed off your list and forgotten. A project readiness management plan provides the disciplined, systematic, process-driven management practice required to ensure that teams are ready to perform their activities. Sources of resistance to changes by project participants often differ at various stages of the project (start, middle, end), requiring different strategies and tactics.

    Step 3: Communication

    A communication plan is not the same as a complete implementation plan—it’s just one component. Communicating realistic, clear and measurable goals and objectives, and their requirements, plays a critical role for participants to all be on the same page to avoid misunderstandings. Putting sufficient effort into a PCI DSS v4.0 project communications plan to clearly define, document and communicate project deliverables, priorities and milestones is also essential. Include feedback loops to gather reactions to both the content of the change and how the change is being implemented.

    Step 4: Reinforcement

    It’s vital to understand the symptoms and root causes of a project in trouble. Project management reinforcement and support processes help identify troubled projects in the early stage of their execution. A reinforcement strategy helps sponsors and project participants apply timely reinforcement at the local level for implementation. This helps with project resource capacity management and task prioritization, and avoids milestones getting pushed out.