Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover:
History of PCI DSS (including current version 3.2)
PCI DSS v4.0 High-Level Changes
PCI DSS v4.0 Timeline
Deep Dive into notable changes:
Promote Security as a Continuous Process
Increased Flexibility and Customized Approach
Increased Alignment between PCI ROC and PCI SAQ
Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.)
ControlCase Methodology for v4.0
Q&A
11. 2. About PCI Security
Standards Council
(PCI SSC)
12. About the PCI Security Standards Council
Founded in 2006 as a global
forum for payment card industry
security standards.
• Development
• Management
• Education
• Awareness
12
13. PCI SSC Manages Standards, Not Compliance
PCI SSC Does PCI SSC Does Not
• Develop and maintain PCI
Security Standards and
Programs
• Provide training, tools and
educational resources to
support PCI Security
Standards implementation
and compliance
• Manage or enforce PCI compliance
programs
• Each PCI SSC founding payment
brand has its own PCI compliance
program for the protection of its
affiliated payment card account data
• All compliance related questions
should be directed to the applicable
payment card brand
13
23. PCI DSS v4.0 RFC Participation
For all PCI DSS
v4.0 RFCs
RFC 1 in 2019
Over 3,000 comments
from 153 companies
RFC 2 in 2020
Over 1800 comments
from 124 companies
RFC 3 in 2021
Almost 1,300 comments
from 87 companies
6,000+
feedback items
200+ Unique
companies
23
24. Goals for PCI DSS v4.0
• Ensure the standard continues to meet the
security needs of the payments industry
• Add flexibility to support different methodologies
being used to achieve security
• Promote security as a continuous process
• Enhance validation methods and procedures
24
25. The 12 Requirements Remain
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure
Network and Systems
1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
Protect Account Data 3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission over open,
public networks.
Maintain a Vulnerability
Management Program
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software.
Implement Strong Access
Control Measures
7. Restrict access to system components and cardholder data by business need to know.
8. Identify users and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test
Networks
10. Log and monitor all access to system components and cardholder data.
11. Test security of systems and networks regularly.
Maintain an Information
Security Policy
12. Support information security with organizational policies and programs.
…but read carefully because the wording may have changed.
25
26. Defined Approach
• Follows current PCI DSS
requirements and testing procedures
• Suitable for entities with
security implementations that align
with current requirements
• Provides direction on how to meet
security objectives
Validating to PCI DSS v4.0
Add Flexibility for Different Methodologies
26
27. Defined Approach
• Follows current PCI DSS
requirements and testing procedures
• Suitable for entities with
security implementations that align
with current requirements
• Provides direction on how to meet
security objectives
Customized Approach (NEW)
• Focuses on the objective of each PCI
DSS requirement
• Entity determines and implements
controls to meet the objective
• Provides greater flexibility for entities
using different ways to achieve a
requirement’s security objective
• Suitable for entities with robust
security processes and strong risk
management practices
Validating to PCI DSS v4.0
Add Flexibility for Different Methodologies
27
28. Compensating Controls and the Customized Approach
Add Flexibility for Different Methodologies
The entity cannot meet the requirement as stated due to
documented technical or business constraints but has
implemented alternative controls to mitigate the risk.
Compensating Controls
The entity has mature risk-management practices
and chooses to implement different controls that
meet the Customized Approach Objective but
does not meet requirement as stated.
Customized Approach
Compensating controls are not an option with the customized approach.
The entity is expected to implement an effective customized control,
without needing to also implement an alternate, compensating control.
Compensating Controls Customized Approach
28
30. Which Entities Can Use The Customised Approach?
Entities that complete a Self-Assessment Questionnaire are not eligible to use a customized
approach
30
32. Cloud and Other
Technologies
• PCI DSS always had a
goal to remain technology
neutral.
• PCI DSS v4.0 includes
refocused requirements
and new objective
statements.
• New Customized Approach
provides flexibility for
organizations using
different ways to meet
security.
33. The First Step to PCI DSS Validation
Annual PCI DSS Scope Confirmation
12.5.2 PCI DSS scope is
documented and confirmed by
the entity at least once every 12
months and upon significant
change to the in-scope
environment
Annual PCI DSS Scope
review
The first step in preparing for a PCI DSS assessment is for the
entity to accurately determine the scope of the review
33
34. PCI DSS v4.0 Implementation Timeline*
2022
Q1 Q2 Q3 Q4
31 March 2024
PCI DSS v3.2.1
retired
31 March 2025
Future-dated new
requirements
become effective
2024 2025
* All dates based on current projections and subject to change
Transition period from PCI DSS v3.2.1 to v4.0
Official Release:
PCI DSS v4.0 with
validation
documents
ISA/QSA
training and
supporting
documents
2023
Transition period from PCI DSS v3.2.1 to v4.0
Implementation of future-dated new requirements
Q1 Q2 Q3 Q4
Q1 Q2 Q3 Q4 Q1 Q2
34
49. PCI DSS v4.0 Implementation Timeline*
2022
Q1 Q2 Q3 Q4
31 March 2024
PCI DSS v3.2.1
retired
31 March 2025
Future-dated new
requirements
become effective
2024 2025
* All dates based on current projections and subject to change
Transition period from PCI DSS v3.2.1 to v4.0
Official Release:
PCI DSS v4.0 with
validation
documents
ISA/QSA
training and
supporting
documents
2023
Transition period from PCI DSS v3.2.1 to v4.0
Implementation of future-dated new requirements
Q1 Q2 Q3 Q4
Q1 Q2 Q3 Q4 Q1 Q2
49
50. Q1 2022
• PCI DSS v4.0 and validation documents were published 31 March
• RFC feedback summaries will be available in the PCI portal
• Blog and video content planned to introduce v4.0
Q2 2022
• Translations, supporting documents, and training will be available by end of June
• PCI DSS v4.0 Global Symposium
Q3/Q4 2022
• Engagement, stakeholder support
• Additional guidance document updates
51. PCI DSS v3.2.1 to v4.0 Transition
Q3 2022 Q1 2024 Q1 2025
• *End June onwards
• QSA and ISA Transitional
Trainings Available
• All documentation
released
• Organizations can
commence assessments
against v4.0 using
approved QSAs**
*Based on current timeline
** QSAs must have successfully completed v4.0
training prior to undertaking v4.0 assessments
• *31 March 2024
• PCI DSS v3.2.1
retirement
• PCI v4.0 becomes the
exclusive version for use
• *31 March 2025
• New PCI DSS
requirements with future
dates become effective
51
56. THANK YOU FOR THE OPPORTUNITY
TO CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
contact@controlcase.com
Download PCI DSS 4.0 Cheat Sheet
Schedule PCI DSS Certification Discussion
Editor's Notes
Organizations of all sizes rely on ControlCase’s certification and continuous compliance services to dramatically cut the time, cost and burden out of IT compliance.
Unlike traditional consulting firms, we bring a partnership approach versus an auditor mentality to every engagement. We go beyond the checklist and provide the expertise, guidance and automation needed to more efficiently and cost effectively demonstrate and maintain compliance.
Whether you're looking to satisfy regulatory requirements, meet customer demand or establish confidence with prospective customers, with ControlCase as your compliance partner, your workforce will be free to focus on their strategic priorities, and you’ll eliminate the hassle and reduce the stress associated with certification and continuous compliance.
For background, the Payment Card Industry Security Standards Council is an open global forum created in 2006 by the five major card brands to develop, maintain and manage the PCI Security Standards.
The brands share equally in governance and execution of the PCI Council’s work.
But before I look more deeply into what has been going on, first let me introduce PCI SSC. Our mission is simple to help secure Payment data
How to we go about that
By developing standards and supporting service that drive education, awareness and effective implementation by stakeholders
To help achieve this we have 4 strategic pillars that are aimed at …
Before we go into the changes, wanted to provide a little insight into the development of the standard
Held 3 separate RFCs while v4 was in development: 2 RFCs for the draft Standard and 1 for Validation Documents – includes reporting templates and attestation documents
Incredible amount of input- over 6k comments from more than 200 companies over the course of these feedback periods
In addition to RFCs, also did a survey on ROCs and AOC in 2019 – received about 700 comments from that survey
So you can see this revision is the result of a collaborative effort with the PCI community
Reasons for the updates:
Requirement 1: Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
Requirement 2: broadened wording since requirement 2 has always covered more than vendor supplied defaults – covers secure configurations in general
Requirement 3: broadened wording to emphasize that account data, not just cardholder data, needs to be protected.
Requirement 4: minor rewording to reflect focus on “strong cryptography”.
Requirement 5: updated to clarify that “systems and networks” need protecting from malicious software.
Requirement 6: updated to emphasize software rather than applications.
Requirement 7: updated to include both “system components” and “cardholder data”.
Requirement 10: updated to logs rather that “track” and to include system components.
Requirement 11: updated to clarify requirements’ intended focus on systems and networks.
Requirement 12: updated to emphasize the goal of over-arching policies and procedures.
Two options in the standard now for validating
Flexibility is a big part of v4.0
Stakeholders told us that would like to meet some PCI DSS requirements using different technologies
As a result we explored other options an entit can use to mee a requirement and now there are two approaches
Defined Approach - the traditional method for implementing and validating PCI DSS. In essence, this is what everyone is doing now.
The entity implements security controls to meet the requirement as stated, and the assessor follows the defined testing procedures to verify the requirement is met.
If an entity already has with controls in place to meet a req – and is comfortable with the current methods for validating controls to meet PCI DSS, there is no need to change.
Additionally, the Defined Approach is good for those looking for more specific direction on meeting security objectives – including those who might be new to Information Security or PCI DSS.
The Customized Approach focuses on a PCI DSS requirement’s CA security objective.
The entity determines the controls that are used to meet the stated objective.
The entity’s role with CA is to perform risk analysis and address the risk, define and document controls, and perform its own testing to verify the control is working.
Because each customized implementation is different, there are no defined testing procedures.
Instead, the assessor will be required to carefully evaluate the entity’s CA documentation, and then develop testing procedures that are appropriate to the specific implementation
- And then to perform the tests to validate that the customized controls meet the stated Intent.
This Approach provides entities greater flexibility to use alternate security controls (often meaning new technologies) to meet PCI DSS objectives.
These new technologies often do not fit within the traditional method for implementing and validating PCI DSS.
This takes a lot more effort than the defined approach and is best suited for risk-mature entities with robust security processes.
Many people are familiar with compensating controls, and they are still an option for those using the defined approach.
Compensating controls - for entities that cannot meet a req due to a business or technical constraint. Entities implement an alternative control that mitigates the same risk.
But there is most likely an underlying non-compliant system or process that cannot be addressed.
Often the CA objective cannot be met either.
Customized approach - for entities that have an innovative approach to meet the objective of the req in a different way.
The entity choses to implement a different control that meets the stated CA objective
But the control may not meet the specifics in the PCI DSS requirement itself
CAs require the entity have strong risk management practices and can document exactly how the approach meets the req’s objective.
For compensating controls, appendices still present in the standard with guidance and a template.
Added clarification that a CC cannot be used to retroactively to address a requirement that was missed in the past.
For example, where a task that should have been performed, was not performed, and no action was taken at that time to address it.
For customized approach, Appendices D and E in the standard provide more details on completing CAs and provide templates for the entity to complete (controls matrix and risk analysis templates).
The Customized Approach is not what you do when you hit a problem during your annual assessment.
It is not the responsibility of the QSA to define your Customized Approach
It is your responsibility
It is the responsibility of the QSA to validate your Customized Approach
Customized Approach is not an easier option. It must as a minimum achieve the same level of security as the defined approach provides
The entity and its assessor are expected to work together to ensure
1) they agree that the customized control(s) fully meets the customized approach objective,
2) the assessor fully understands the customized control, and
3) the entity understands the derived testing the assessor will perform
An entity that completes a SAQ is not eligible to use a customized approach.
However, an SAQ-eligible entity may elect to have a QSA or ISA perform their assessment and document it in a ROC Template.
The use of the customized approach may be regulated by organizations that manage compliance programs (for example, payment brands and acquirers).
Therefore, questions about use of a customized approach must be referred to those organizations, including:
for example, whether an entity that is eligible for a SAQ may instead complete a ROC to use a customized approach,
and whether an entity is required to use a QSA, or may use an ISA to complete an assessment using the customized approach.
Information about the use of the Customized Approach can be found in Appendix D and E of PCI DSS v4.0
To highlight some of the guidance we’ve added to v4.0. For instance:
PCI DSS applicability information section
Some PCI DSS requirements may apply for entities that do not store, process, or transmit PAN
Clarified terms account data, CHD, SAD, and PAN are not interchangeable and are used intentionally in PCI DSS
(meaning when we say PAN we mean PAN and not all account data)
PCI DSS and Software Standards
Rewrote this section to cover all PCI software standards
Added new appendix F to discuss role of PCI software standards in helping to address elements of Requirement 6.
Mentions that PA-DSS is retiring in 2022
Added a diagram to “Scope of PCI DSS requirements” section for “Understanding PCI DSS Scoping” – adapted from our scoping information supplement
Third-Party Service Providers
Lots of new guidance (some from existing FAQs) to clarify third party relationships – I encourage you to review this section thoroughly if you haven't already
Description of Timeframes – to clarify frequencies and timeframes specified in PCI DSS requirements, and related expectations.
New section to introduce customized approach (and new appendices at D and E to provide more details about CA)
And this new diagram that you can see on this slide
Replaces content of first page of the Detailed PCI DSS Requirements and Testing Procedures,
Right before the actual requirements and testing procedures starts
Graphic to explain all the parts of the requirements and to define/explain the newly added sections in the Guidance column.
We also reformatted the guidance column that is included in each PCI DSS requirement, adding headers to clarify the content.
And some of the guidance, which was more about how or to which entity the requirement applies, was moved to a new section under a requirement, called Applicability Notes.
And we’ve put the PCI DSS glossary in the standard now, in App G.
We are often asked how PCI DSS supports New Emerging Technologies in payments
PCI DSS has always been technology-neutral,
- The requirements are intended to apply to all types of environments.
Even if a type of technology is not specifically called out in the standard, the intent of the security requirements is still applicable.
Version 4.0 – we refocused requirements and added objective statements to better emphasize its broad applicability to technologies of all types.
In addition, PCI DSS v4.0 includes the Customized Approach for most requirements, specifically to provide entities that have implemented strong risk management practices with more flexibility if they are using different ways to achieve the requirement’s defined objective using different technologies and processes.
A bit more on the CA in a couple of slides.
Having said that, we did add emphasis to cloud in several areas:
In the scope of PCI DSS requirements where numerous types of system components are called out
Reworked Appendix A1
Used to apply to shared hosting providers, those entities are now called multi-tenant service providers, with a definition that makes clear this applies to cloud providers as well
New requirement for multi-tenant service providers to support or provide evidence to customers for pen testing.
12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes:
Identifying all data flows for the various payment stages
Update all data-flow diagrams per Requirement 1.2.4.
Identifying all locations where account data is stored, processed, and transmitted, including but not limited to:
Any locations outside of the currently defined CDE,
Applications that process CHD,
Transmissions between systems and networks, and
File backups.
Identify all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
Identify all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope.
Identifying all connections from third-party entities with access to the CDE.
PCI DSS v3.2.1 will remain active for two years after 4.0 is released.
31 March 2024 is the date when v3.2.1 will be retired.
This transition period designed to give orgs. time to become familiar with changes in 4.0;
In addition to that two-year timeframe, most of the new requirements are initially best practices in v4, and there is a further period of time after the retirement of v3.2.1 before these best practices become requirements.
That effective date for these new requirements (on the far right in this diagram) will be 31 March 2025.
It is worth noting that there are a lot of new and updated requirements, and we strongly encourage entities to start familiarizing themselves with the changes and begin planning for any implementation updates they need to make – don’t want to wait until the last minute.
PCI DSS v3.2.1 will remain active for two years after 4.0 is released.
31 March 2024 is the date when v3.2.1 will be retired.
This transition period designed to give orgs. time to become familiar with changes in 4.0;
In addition to that two-year timeframe, most of the new requirements are initially best practices in v4, and there is a further period of time after the retirement of v3.2.1 before these best practices become requirements.
That effective date for these new requirements (on the far right in this diagram) will be 31 March 2025.
It is worth noting that there are a lot of new and updated requirements, and we strongly encourage entities to start familiarizing themselves with the changes and begin planning for any implementation updates they need to make – don’t want to wait until the last minute.
Along with the standard, the SOC, ROC and ROC AOCs have been released
The preview version is no longer available in the PCI portal
And for those who participated in the RFCs, the feedback summaries from the 2020 PCI DSS v4.0 RFC and the 2021 validation documents RFC are also now available in the PCI portal.
With the SAQs to follow shortly in April.
To help organizations plan for their transition, there are also a lot of supporting docs being released over the March-June timeframe…
E.g., New/updated FAQs, Prioritized Approach, Quick Reference Guide are all being updated
We’re also pleased to be rolling out several translations of the Standard and SOC over this release period – means the standard will be available in English and 7 languages
along with QSA transition training (so they can perform v4.0 assessments)
We are also planning a 3-4 hour Global symposium to present various PCI DSS v4.0 topics in June.
This is the current transition timeline for v3.2.1 to v4.0 and also when the new requirements will be effective.
Note that some new requirements are effective immediately for all v4.0 assessments.
For example, those that are documentation based and are expected to already exist (roles and responsibilities, PCI DSS scoping)
As previously mentioned, most of the new requirements have an effective date of 31 March 2025 – until that time they are best practices.
However, an entity can include them in their assessment prior to this date if they are ready to do so.
You can find details about whether a new requirement is effective immediately for v4.0 or is a best practice until 31 March 2025 in…
the Summary of Changes from PCI DSS v3.2.1 to v4.0 - a great source of information for understanding all the changes in the Standard, as well as the effective dates of those new requirements.