No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Dissecting PCI DSS 4.0: How Companies Can Prepare to Achieve Compliance

New Measures Will Account for Technological Updates and Allow for Greater Customization.

by Chris Pin
September 22, 2021
in Data Privacy
abstract 3d render of credit cards, which are governed by PCI DSS 4.0

In many spheres, PCI DSS is like the law of gravity: It affects just about everything. PCI DSS 4.0, the first major update since 2013, is right around the corner. If your business so much as smells cardholder data, this article is for you.

Payment Card Industry Data Security Standard (PCI DSS) has become the leading set of security standards for maintaining a secure environment for all companies. Any organization that accepts credit, debit or prepaid cards under the American Express, Discover, MasterCard, Visa and JCB brands must maintain PCI DSS compliance. The latest version of the standard, PCI DSS 4.0, will be released in Q1 of 2022, prompting companies to start preparing for what’s ahead. This article will discuss the changes in the new version of PCI DSS 4.0, including the key priorities and goals, three steps to adhering to PCI DSS 4.0 and tips for successfully maintaining ongoing compliance.

https://twitter.com/annnwallace/status/1174127471127478272

The long-awaited PCI DSS version 4.0 is the first major change to the standard since the end of 2013. While PCI DSS 4.0 is expected to be released in Q1 of 2022, the current PCI 3.2.1 will not be retired until Q1 of 2024. This gives companies plenty of time to finish off any existing reports on compliance (ROCs) while also providing additional time to become compliant with the new 4.0 standards.

Timeline for PCI DSS 4.0 transition
Republished with permission from PCI.

The goals of PCI DSS 4.0 include a focus on persistent, end-to-end personal data protection for processing payments in modern data environments. According to the PCI Security Standards Council, “PCI DSS is being updated to address … stakeholder feedback and to support a range of environments, technologies and methodologies for achieving security.”

Experts agree that version 4.0 is expected to require far more stringent security on the part of credit card processing organizations while allowing greater discretion and freedom as to how implementations for meeting these stricter expectations can be customized. Version 4.0 is also positioned to more forcefully mitigate against rampant data breaches that have been consistently compromising cardholder private and personal data.

Key Differences in PCI DSS 4.0

PCI DSS 4.0 is expected to differ from the current PCI DSS version 3.2.1 in a few key ways. One of the biggest changes is that PCI DSS is giving more leeway regarding “how” an organization can become compliant.

PCI DSS 3.2.1 and its predecessors included not only a series of objectives (e.g., protect cardholder data), but also very specific requirements that dictate exactly how companies must achieve those goals. In other words, the standard is extremely prescriptive. Should a business be unable to follow these prescriptive steps to compliance, they must implement a compensating control. This can often be an extremely time-consuming and costly procedure that requires an organization to go well above and beyond the intent of the primary control itself.

Here are the three main differences in version 4.0:

Customization

PCI-DSS 4.0 does keep the existing prescriptive method for compliance, should an organization want to continue cookie-cutter security. However, 4.0 is replacing compensating controls with an alternate option: customized implementation. Customized implementation takes into consideration the original intent of the objective and allows organizations to design their own security controls to meet it. Once an organization determines the security control for a system, network or other object, it must provide full documentation to enable their PCI Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control. Should the QSA not accept the control or the documentation, the organizations may then be asked to enhance it, alter it or potentially go back to the prescriptive control requirement.

Cloud and Serverless Computing

Another area that’s expected to change will be around the use of cloud and serverless computing. The core controls of the current version 3.2.1 were not designed for modern IT environments that often leverage multi-cloud, on-premises and vendor networks. Version 4.0 will introduce an updated set of requirements and approaches to securing cloud and serverless workloads.

Control Requirements

Organizations can also expect new control requirements, such as an expansion of cardholder data encryption over any transmission, including within trusted networks. There is also likely to be a control requirement update regarding multifactor authentication and logins. With the tremendous advancement in this technology, the PCI Security Standards Council Site will possibly want to see those in use.

A timeline of PCI DSS 4.0 development
Republished with permission from PCI.

The Importance of These Changes

The 12 foundational requirements and list of controls included in PCI DSS 3.2.1 will still be a part of 4.0, but the addition of the customized implementation option introduces new flexibility for companies to use a broader range of methods and technologies to achieve each PCI objective. And, ultimately, organizations might find a more cost-effective or simpler way to comply.

Another potential perk of the ability to now build in “unique” controls is added confidence against the effectiveness of attacks designed to outmaneuver the more prescriptive approach published by PCI. In addition to this, organizations that take their data security seriously will be more open to creating various unique ways and methods to product their card data environments (CDEs).

Three Steps to Adhering to PCI DSS

Complying with PCI DSS can be a complicated journey, and leveraging the assistance of an external consultant or third-party auditor is a wise move. Whether you have the internal resources to run your adherence campaign or leverage outside expertise, the road to PCI DSS compliance can be boiled down to three steps:

Assess: Perform an audit to identify the cardholder data the organization is responsible for, inventory IT assets and business processes involved in payment card processing, and analyze for vulnerabilities.

Remediate: Fix any vulnerabilities uncovered in the assessment stage. If the organization is storing unnecessary cardholder data, take steps to properly dispose of it. For businesses that need to retain cardholder data, consider leveraging an external qualified body for storage or investigate proper remediation techniques, such as redaction and/or encryption.

Report: Assemble and submit any applicable required remediation records and compliance reports.

Ensuring PCI DSS 4.0 Compliance

Once a company has earned PCI DSS compliance validation, it needs to ensure the proper maintenance to stay compliant. Maintaining compliance starts by putting checkpoints into the governance, risk and compliance or workflow system. Companies should start by asking the various IT teams every 30 days or every quarter for particular PCI DSS requirements. These checkpoints could be as simple as an automated ServiceNow or JIRA ticket that informs the network engineer or DevOps person that they need to provide specific evidence of an access review, network drawing or other piece of data. Implementing this strategy can help ensure PCI DSS compliance never becomes a “project,” and it can save a company millions of dollars year over year.

Now, keeping all of this in mind, it’s also important for a company to know what its CDE is. After all, scoping the PCI DSS ROC is roughly 80 percent of the battle. This is an exercise where a company’s compliance team will sit down with the various business units and start to understand any system or service that touches, processes, stores or passes any PCI data. This is another critical way to ensure ongoing compliance success.

Preparing for PCI DSS starts with being compliant with the most current version, 3.2.1, then planning for the changes necessary in version 4.0 to adapt to new requirements and security testing. By following the three basic steps outlined and keeping in mind the strategies mentioned above for ongoing compliance, companies will be well on their way to having a seamless transition to PCI DSS 4.0 and also to maintaining compliance in the years to come.


Tags: Payment Card Industry Data Security Standard (PCI DSS)
Previous Post

Businesses Prepare for New Era of Public Scrutiny, According to FTI Consulting Survey

Next Post

12 ESG-Related Topics Worthy of the C-Suite and Boardroom

Chris Pin

Chris Pin

Chris Pin is the Vice President of Security and Privacy at PKWARE. In this role, Chris drives value and awareness for all PKWARE customers regarding the various challenges that both privacy and security regulations bring to the data-driven world. He works closely with all customers and potential customers to help them better understand how PKWARE solutions best fit into their environments and processes. He also works very closely with many other departments such as sales, marketing, partners, and product to help build brand awareness and product insights.  

Related Posts

card payment standards

New Card Payment Security Standards Are Coming. What Do They Mean for Your Business?

by Uriel Maimon
September 7, 2022

In March, the Payment Card Industry Security Standards Council published Payment Card Industry Data Security Standard (PCI DSS) Version 4.0...

illustration of cybersecurity concept

VigiTrust Launches VigiOne Cybersecurity Compliance Platform for Managed Security Service Providers

by Corporate Compliance Insights
August 17, 2021

Easy-To-Use, Cost-Effective Solution Enables MSSPs to Keep Pace with Changing Regulations, Scale Effectively and Ensure Ongoing Compliance New York, NY...

A stick figure holds up a ceiling which appears to be collapsing.

Cybersecurity Protocols Are Squeezing Developers, Who Are Already in Short Supply

by Trevor Morgan
August 10, 2021

Data security principles codified in cybersecurity protocols like GDPR, CCPA, PCI DSS and others are raising protection standards. They also...

thumbprint on screen

9 PCI Compliance Recommendations for During and After the Pandemic

by Rob Chapman
June 26, 2020

Businesses have so much to worry about currently. Take these tips from Cybera’s Rob Chapman to heart and you can...

Next Post
Birdseye view of a lush forest

12 ESG-Related Topics Worthy of the C-Suite and Boardroom

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT