PCI DSS v4.0: The Lowdown for Business Leaders

We’ll be the first to admit it: When it comes to the Payment Card Industry Data Security Standard (PCI DSS), we’ve been far from silent. Rather, over the past few months, we’ve used this blog to address the myriad changes brought to the table by the recent debut of PCI DSS v4.0. But bear with us for a bit longer. The Forbes Technology Council has published a list of essential things business leaders need to know about the new standard as well as recommendations for complying with it. We think the information is well worth sharing.

“While the enforcement date of March 31, 2024, may seem far off, now is a critical time for business leaders, IT security personnel, and compliance officers to begin planning”, writes Council Member Stephen Cavey, author of the list and co-founder/chief evangelist at Ground Labs, a firm that specializes in enabling organizations to discover and remediate their data across multiple types and locations (servers, desktops, and the cloud). “It’s time to evaluate your compliance status, understand any roadblocks to maintaining compliance, and educate staff especially those at the boardroom table about the changes introduced” in the new version.

Biggest Changes in a Nutshell

The PCI DSS has traditionally focused on threats and vulnerabilities posed by current and emerging technologies, according to the Council. However, v4.0 is somewhat different in that it places a heightened emphasis on security and promotes flexible data practices within organizations’ wider security posture. It also:

• Recognizes that emerging technologies aren’t always a good fit for a “rigid, prescriptive control framework” and, in turn, introduce more flexibility to compliance through a customized approach;
• Sets out best password management practices and mandates multi-factor authentication for all access to the cardholder data environment (CDE);
• Requires service providers to revalidate their scope every six months, with all cardholder data locations identified, and designate entities to perform quarterly data discovery exercises;
• Calls for enhanced monitoring, including automated log reviews conducted with log analyzers and security identification and event management (SIEM) solutions; leveraging authenticated scans to improve vulnerability scan results; and ensuring that service providers support customer penetration testing;
• Mandates more frequent testing in keeping with the Designated Entities Supplemental Validation (PCI DSS Appendix A3).

No Shortcuts, Just Smart Steps

These changes notwithstanding, PCI DSS compliance is a journey along a route that is “always evolving”, with no shortcuts worth taking, according to the Council. Still, group members believe there are savvy steps organizations can take to ease the road to PCI DSS v4.0 compliance.  Their recommendations:

• Start on the right foot. This means ensuring compliance with PCI DSS v3.2.1, and, for businesses that have yet to attain it, determining what is preventing them from doing so. Often, according to the Council, noncompliance is a matter of not knowing where all cardholder data resides. “Regular data discovery verifies where your card data is stored and how it moves through your network”, Cavey writes. “Evaluate your systems and processes, remove data you don’t need, and implement controls for the rest”.
• Kick-off with a defined approach. As they begin to migrate to PCI DSS v4.0, merchants should, as much as possible, follow the defined approach laid out in the standard rather than the new customized one. The reason: the customized approach offers flexibility in how controls are met but doesn’t negate the requirement to comply with them. By design, Cavey points out, the customized approach demands “additional evidence and stringent validation during the assessment”. As a result, deviating from the defined approach without a genuine need is a more costly and potentially, more difficult road to compliance.
• Get smart. The complexity of PCI DSS v4.0 is such that merely reading an article or two about it won’t suffice. The Council recommends that businesses engage a specialist to guide them through the new standard item by item and conduct regular training sessions with all employees. Gamifying training and keeping it interactive to help staff members understand the aspects of compliance that are relevant to their job and responsibilities is also a good idea.
• Tap a chief data officer (CDO). Large enterprises, in particular, are jumping on the CDO appointment bandwagon. However, appointing a CDO or at minimum, identifying and empowering internal data experts makes sense for organizations of all sizes; CDOs, in particular, are frequently “well-versed in compliance mandates”, according to the Council. The Council advocates conducting regular check-ins with these individuals and assigning a speaking role during company meetings. Other “must-do’s” that fall under this umbrella include ensuring that each department head has “regular access to and communication with the CDO/internal data expert(s)”. While compliance isn’t a CDO’s sole responsibility, the holder of the CDO title is a critical resource for leading and managing companies’ PCI DSS v4.0 compliance and data security strategy.
• Utilize existing security tools. Larger organizations tend to deploy multiple security tools, many of which are underutilized, poorly configured, and ineffective. Businesses that understand how to harness the capabilities of existing security tools will limit unnecessary investment in tools to support migration to and compliance with PCI DSS v4.0.

E-Complish recently attained PCI DSS recertification for the 13th consecutive year and is dedicated to maintaining and helping merchants maintain strict adherence to the standard and other applicable data standards. Schedule a consultation to learn more about it.