PCI DSS 4.0 will replace the current operating version on March 31, 2024, and while most of the changes are a simple codification of best practices, it’s important for organizations to have important conversations about those changes internally and with their service providers now.
Learn how the changes in PCI DSS 4.0 might affect your organization, and how much complying with those changes might cost, in this Executive Q&A with Steve Akers, CSO and CTO of TECH LOCK, Inc.
Erin Kerr (EK) (00:07): Hi everyone. And thank you for joining me for this episode of our Executive Q&A. I am here today with Steve Akers, CSO and CTO of TECH LOCK Inc. Steve, how are you doing today?
Steve Akers (SA) (00:18): I'm doing great. How are you?
EK (00:19): I am doing really well. Today, we're going to talk a little bit about what you need to know about PCI DSS 4.0.
Before we get started, why don't you tell us a little bit about yourself?
SA (00:31): As mentioned, I'm the Chief Security and Technology Officer here at TECH LOCK. I've been doing cyber security and compliance for 25 plus years. I've been a serial entrepreneur and I’ve been in the space for a really long time, from both sides of the table, whether on the end-customer side,or on a service provider side. I've seen both of those areas and bring a lot of experience to this discussion.
EK (01:00): I'm excited to get into the topic. Before we get into some of the more difficult questions, why don't you tell me: what is PCI DSS 4.0?
SA (01:11): The Payment Card and Industry Data Security Standard has been around for a long time, and it goes through iterations.
The most current, active iteration is 3.2.1. It's been out there for a while, and every so often the PCI Security Standard Council will go through review and decide it's time to update it, it’s time to modernize the standard to better align it with modern threats and attacks and different types of security technologies that are available. 4.0 is the most recent one, which was released a little bit earlier this year.
EK (01:44): It sounds like the industry has been operating at the same standard for a while, so making a transition might be difficult for some people. How hard will that transition be?
SA (01:57): The biggest concern for most clients will be the new requirements. There are 13 new requirements that are effective for anyone who wants to be assessed under 4.0, but the remainder of those new requirements really aren't applicable until March of 2025. So, you have some time.
[Of the 13 new requirements] most are focused on things like better documentation, assignment, and training related to roles and responsibilities. For many organizations, this has been part of their overall good cybersecurity practices anyway, so it shouldn't be too difficult to achieve. Even if they haven't been doing that, for the remainder [of requirements] that are effective in March of 2025, there are definitely some more technical and procedural controls that will require planning and discussion, much like what happened when PCI DSS first came onto the scene. The lead time should be enough for organizations to meet these [new requirements]. The key will ultimately be not to wait until the last minute, and having a plan for moving your organization forward.
EK (03:05): It sounds like there's a little bit of time to prepare, but how much change will this cause in our environment?
SA (03:12): The first thing to consider when answering that question is “what’s changed in the standard itself?”
There are over 70 evolving requirements, which means that fundamentally, they're asking organizations to do something different than before, either through a new requirement entirely, or by adding a bullet point to a previous requirement.
Of those new requirements, around 47% are really policy and procedure related. 41% will be technology related, meaning there's something new that they’ll need to do from a technical perspective. Thirteen are what I call assessment related. There's additional assessments that they want you to [be prepared for]. Policy procedures and assessment components are changes, but I don't think that they're daunting for anyone who is already compliant.
As I mentioned earlier, the technical requirements will have some impact and really require organizations to modernize how they're protecting their environments, their users, and how they protect what's called the CDE or pan data.
When you kind of move out of the requirements, the next category is what they call classification or guidance. What this really means is that the requirement hasn't changed; rather the Security Standards Council felt that they needed to clear things up. They’re getting rid of some of the interpretation. For example, if you look at an old requirement like 1.7, basically it says you need to review your firewall rules every six months. Most people understand that, but what it didn't say is what you should really be looking for during that review. Now in 4.0, that requirement is now 1.2.7, and it replaces the word firewall with NSC or network security controls. They did that because they wanted to encompass cloud environments that don't have the traditional kind of firewall that most people are used to.
The guidance makes it more clear what you should be reviewing. Arguably in 4.0, what they're asking for here is probably what you should have been doing all along. For organizations that have been doing this properly, the change shouldn’t be difficult, but [the change] gives more guidance, which I think is really important. Ultimately the remainder of the changes that are included in the standard are really more structural, and really don't have any material impact for anyone that's already compliant
EK (05:43): Well, that's good news. It sounds like it's a codification of what most folks should already be doing, which leads me to my next question. How much more is this going to cost?
SA (05:54): We get that question asked all the time and I wish it was more clear cut, but it really comes down to a few concepts.
First, it’s about internal technologies. Organizations that have leveraged technologies that are not modern, like a legacy antivirus, or a basic logging or outdated point of sales or payment card software, etc., may find the cost to be higher to meet 4.0 organizations. They need to begin looking at all of these soon so they can prepare. Sometimes upgrading is the best path, but organizations have been reluctant to upgrade if everything worked and it met the requirements, so 4.0 is forcing those changes.
The second concept is really about your service providers. Organizations need to get ahead of 4.0 and their service providers now to understand if and how those service providers plan to, or are currently meeting 4.0 requirements. A number of the new requirements are very specific to service providers. So [organizations] need to get enough clarity from those service providers that allows them to properly plan for the changes and version upgrades, maybe even changing service providers if they don't like the answers. Obviously if you do some of those things, that could incur costs that were not necessarily in the original plan.
The last concept is really around risk analysis and testing requirements earlier. Depending upon your maturity and confidence, this may be something that you would've liked to have that you might want to have accomplished by a third party. It’s certainly not required, but this could be an additional cost. Even if it's to build it out for the first time, that was not necessarily something that [an organization] budgeted for.
As for any absolute number of ranges, unfortunately, there's just not enough data and evidence to give a realistic gauge to say exactly how much it will cost, because it can vary so widely, given some of the concepts that I've talked about.
EK (07:52): It sounds like it will really depend on the size of the organization and what that organization needs, and how far they are already along in compliance
SA (08:00): Certainly.
EK (08:03): I think you might have mentioned this a little bit earlier, but when are we required to be assessed against version 4.0?
SA (08:11): First, no one can be officially assessed until the actual QSAs have been properly trained in 4.0. Even though it's been released they're supposed to be kick off the training here in Q2.
But right now, no one will have to officially align with 4.0 until Q1 of 2024. What I've been telling clients and other people that we've been talking to is that by the end of 2023, you want to make sure that you have all your ducks in a row, and that you have everything set and aligned with 4.0. Like I said, with 4.0, there are 13 new requirements that are effective immediately if you're going to measure yourself under 4.0. Then there's another subset of requirements that are effectively required by March of 2025.
You've got some time, but the first date that will really matter for most organizations is Q1 of 2024.
EK (09:17): Like you mentioned, [organizations] have some time to get their ducks in a row, but I think sometimes those far off deadlines can be a bit of a curse, because folks don't see [those deadlines] as an emergent need. Then all of a sudden that deadline is knocking on the door.
Steve, is there anything else you'd add for the audience about PCI DSS 4.0?
SA (09:39): I think you touched on it. [Organizations] should start planning now. Some of these things will be different than what they've already had in place today. If you're not sure about how certain requirements apply, or if you have the technology that would even align with this [requirement] you should reach out to your trusted advisors and ask those questions. Certainly we would love to be part of that too, but if you've got somebody that you really trust to go, talk to them now to get ahead of it.
As I alluded to earlier, all the other people that are part of your cardholder environment and part of your payment processing, etc., [get those conversations] set up today. So that way you’ll know what their lead time might be and whether or not that could theoretically impact your organization.
EK (10:23): That's great advice, Steven. Thank you so much for talking with me about this really important topic that people should really get in front of, especially as, like I said, those deadlines come knocking.
Thanks so much again for your time, and thanks to the audience for tuning to this episode of Executive Q&A.