PCI DSS 4.0 Webinar Final.pptx
•Download as PPTX, PDF•
0 likes•1,632 views
Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover: History of PCI DSS (including current version 3.2) PCI DSS v4.0 High-Level Changes PCI DSS v4.0 Timeline Deep Dive into notable changes: Promote Security as a Continuous Process Increased Flexibility and Customized Approach Increased Alignment between PCI ROC and PCI SAQ Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.) ControlCase Methodology for v4.0 Q&A
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to PCI DSS 4.0 Webinar Final.pptx
Similar to PCI DSS 4.0 Webinar Final.pptx (20)
More from ControlCase
More from ControlCase (20)
Recently uploaded
Recently uploaded (20)
PCI DSS 4.0 Webinar Final.pptx
- 2. WEBINAR: PCI DSS 4.0 YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST Download PCI DSS 4.0 Cheat Sheet Schedule PCI DSS Certification Discussion
- 3. INTRODUCTIONS Kishor Vaswani Chief Strategy Officer ControlCase Nitin Bhatnagar Associate Director, India PCI Security Standards Council (PCI SSC))
- 4. About ControlCase About PCI SSC About PCI DSS History of PCI DSS PCI DSS v4.0 Update from PCI SSC PCI DSS v4.0 Update from ControlCase Deep Dive: Notable Changes PCI DSS v4.0 Timeline Get Involved Agenda 4 1 2 3 4 5 6 7 8 9
- 6. ControlCase Snapshot © ControlCase. All Rights Reserved. 6 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
- 7. Solution © ControlCase. All Rights Reserved. 7 Certification and Continuous Compliance Services “ I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center
- 8. Strategic Security Partnership for PCI DSS Compliance © ControlCase. All Rights Reserved. 8 PCI DSS Assessments must be completed by a Qualified Security Assessor (QSA) ControlCase is a QSA Company offering the following:
- 9. PCI DSS PCI SSF PCI P2PE HITRUST CSF HIPAA ISO 27001 SOC2 NIST 800-53 PCI PIN PCI PA-DSS FedRAMP PCI 3DS One Audit™ Assess Once. Comply to Many. Certification Services © ControlCase. All Rights Reserved. 9 “ You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant
- 10. Dashboard of ControlCase One Audit™ © ControlCase. All Rights Reserved. 10
- 11. 2. About PCI Security Standards Council (PCI SSC)
- 12. About the PCI Security Standards Council Founded in 2006 as a global forum for payment card industry security standards. • Development • Management • Education • Awareness 12
- 13. PCI SSC Manages Standards, Not Compliance PCI SSC Does PCI SSC Does Not • Develop and maintain PCI Security Standards and Programs • Provide training, tools and educational resources to support PCI Security Standards implementation and compliance • Manage or enforce PCI compliance programs • Each PCI SSC founding payment brand has its own PCI compliance program for the protection of its affiliated payment card account data • All compliance related questions should be directed to the applicable payment card brand 13
- 14. 1 4
- 15. 3. About PCI DSS
- 16. Payment Card Industry Data Security Standard: • Established in 2006 by leading payment card issuers. (VISA, MasterCard, American Express, JCB International & Discover Financial Services) • Maintained by the PCI Security Standards Council (PCI SSC). • PCI DSS provides operational and technical requirements to protect cardholder data. • Currently in PCI DSS Version 3.2 • PCI DSS Version 4.0 was just announced What is PCI DSS? © ControlCase. All Rights Reserved. 16
- 17. 12 Requirements of PCI DSS © ControlCase. All Rights Reserved. 17 CONTROL OBJECTIVES (6 PRINCIPLES) 12 REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security
- 18. PCI DSS Family of Standards © ControlCase. All Rights Reserved. 18 PCI DSS Security of Environments that store, process or transmit account data PCI PA-DSS Secures payment applications support PCI DSS compliance PCI P2PE Ensures data is encrypted at POI and can only be decrypted by dedicated environment PCI TSP Requirements for token service providers for EMV Payment tokens PCI Card Production Physical and logical security requirements for card manufacturing and personalization PCI 3DS Physical and logical requirements for entities that implement 3DS Payment solution PCI PTS – HSM Physical and logical controls for securing HSM PCI PTS – POI Protection of sensitive data at POI PCI PTS – PIN Security Secure management, processing and transmission of PIN data
- 19. Data in Question (Credit and Debit Card Data) © ControlCase. All Rights Reserved. 19 Cardholder Data Includes: • Primary Account Number (PAN) • Cardholder’s Name • Expiration Date • Service Code Sensitive Authentication Data Includes: • Full Track Data • CAV2/CVC2/CVV2/CID • PINs/PIN blocks
- 20. 4. History of PCI DSS
- 21. History of PCI DSS Release Dates for PCI DSS © ControlCase. All Rights Reserved. 21 • PCI DSS v1 - December 2004 • PCI DSS v1.1- September 2006 • PCI DSS v1.2- October 2008 • PCI DSS v2 - October 2010 • PCI DSS v3 - November 2013 • PCI DSS v3.1 - April 2015 • PCI DSS v3.2 - April 2016 • PCI DSS v3.2.1 - May 2018 • PCI DSS v4 - March 2022
- 22. 5. PCI DSS v4.0 Update from PCI SSC
- 23. PCI DSS v4.0 RFC Participation For all PCI DSS v4.0 RFCs RFC 1 in 2019 Over 3,000 comments from 153 companies RFC 2 in 2020 Over 1800 comments from 124 companies RFC 3 in 2021 Almost 1,300 comments from 87 companies 6,000+ feedback items 200+ Unique companies 23
- 24. Goals for PCI DSS v4.0 • Ensure the standard continues to meet the security needs of the payments industry • Add flexibility to support different methodologies being used to achieve security • Promote security as a continuous process • Enhance validation methods and procedures 24
- 25. The 12 Requirements Remain PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain network security controls. 2. Apply secure configurations to all system components. Protect Account Data 3. Protect stored account data. 4. Protect cardholder data with strong cryptography during transmission over open, public networks. Maintain a Vulnerability Management Program 5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software. Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need to know. 8. Identify users and authenticate access to system components. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Log and monitor all access to system components and cardholder data. 11. Test security of systems and networks regularly. Maintain an Information Security Policy 12. Support information security with organizational policies and programs. …but read carefully because the wording may have changed. 25
- 26. Defined Approach • Follows current PCI DSS requirements and testing procedures • Suitable for entities with security implementations that align with current requirements • Provides direction on how to meet security objectives Validating to PCI DSS v4.0 Add Flexibility for Different Methodologies 26
- 27. Defined Approach • Follows current PCI DSS requirements and testing procedures • Suitable for entities with security implementations that align with current requirements • Provides direction on how to meet security objectives Customized Approach (NEW) • Focuses on the objective of each PCI DSS requirement • Entity determines and implements controls to meet the objective • Provides greater flexibility for entities using different ways to achieve a requirement’s security objective • Suitable for entities with robust security processes and strong risk management practices Validating to PCI DSS v4.0 Add Flexibility for Different Methodologies 27
- 28. Compensating Controls and the Customized Approach Add Flexibility for Different Methodologies The entity cannot meet the requirement as stated due to documented technical or business constraints but has implemented alternative controls to mitigate the risk. Compensating Controls The entity has mature risk-management practices and chooses to implement different controls that meet the Customized Approach Objective but does not meet requirement as stated. Customized Approach Compensating controls are not an option with the customized approach. The entity is expected to implement an effective customized control, without needing to also implement an alternate, compensating control. Compensating Controls Customized Approach 28
- 29. Working Together Is Key… QSA Organization 29
- 30. Which Entities Can Use The Customised Approach? Entities that complete a Self-Assessment Questionnaire are not eligible to use a customized approach 30
- 31. PCI DSS v4.0: Lots of New Guidance
- 32. Cloud and Other Technologies • PCI DSS always had a goal to remain technology neutral. • PCI DSS v4.0 includes refocused requirements and new objective statements. • New Customized Approach provides flexibility for organizations using different ways to meet security.
- 33. The First Step to PCI DSS Validation Annual PCI DSS Scope Confirmation 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment Annual PCI DSS Scope review The first step in preparing for a PCI DSS assessment is for the entity to accurately determine the scope of the review 33
- 34. PCI DSS v4.0 Implementation Timeline* 2022 Q1 Q2 Q3 Q4 31 March 2024 PCI DSS v3.2.1 retired 31 March 2025 Future-dated new requirements become effective 2024 2025 * All dates based on current projections and subject to change Transition period from PCI DSS v3.2.1 to v4.0 Official Release: PCI DSS v4.0 with validation documents ISA/QSA training and supporting documents 2023 Transition period from PCI DSS v3.2.1 to v4.0 Implementation of future-dated new requirements Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 34
- 35. 6. PCI DSS v4.0 Update from ControlCase
- 36. PCI DSS V4.0 Update © ControlCase. All Rights Reserved. 36 - No company can certify companies to PCI DSS V 4.0 yet - PCI Council to offer the first training sometime in June 2022 - after which QSAs can start assessments under PCI DSS 4.0 - PCI Council has published a list of changes and documentation online. ControlCase will update customers as we get closer to Q’3 2022. Until then no change to our assessment process - Companies will have 2 years to transition to v4.0 but can move earlier as well
- 37. Goals for PCI DSS v4.0 © ControlCase. All Rights Reserved. 37 PCI DSS v4.0 is the next generation of the standard, and it has the following goals: Continue to meet the security needs of the payment industry Promote security as continuous process Increase flexibility for organizations using different methods to achieve security objectives Enhance validation methods and procedures
- 38. Critical changes from PCI DSS v3.2.1 to v4.0 © ControlCase. All Rights Reserved. 38 Methodological changes - Several small updates across the requirements with added Clarification or Guidance - Introduction of Customized approach to offer additional requirement validation method to meet the requirement objective - Introduction of targeted risk analysis for various critical requirements - For Service Providers - Confirming PCI DSS scope at least once every 6 months and upon significant change to the in-scope environment New requirements that may require major efforts/implementations - Stringent password and MFA (Multi-Factor Authentication) requirements - Mechanisms to detect and protect personnel against phishing attacks - Automated technical solution for public-facing web applications that continually detects and prevents web-based attacks - Automated mechanisms to review audit logs for all CDE and critical systems - Internal vulnerability scans via authenticated scanning
- 39. 7. Deep Dive into Notable Changes
- 40. 12 Requirements of PCI DSS v3.2.1 vs. v4.0 © ControlCase. All Rights Reserved. 40 PCI DSS v3.2.1 - 12 REQUIREMENTS PCI DSS v4.0 - 12 REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and Maintain Network Security Controls 2. Apply Secure Configurations to All System Components 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect Stored Account Data 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 5. Protect All Systems and Networks from Malicious Software 6. Develop and Maintain Secure Systems and Software 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 7. Restrict Access to System Components and Cardholder Data by Business Need to Know 8. Identify Users and Authenticate Access to System Components 9. Restrict Physical Access to Cardholder Data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 10.Log and Monitor All Access to System Components and Cardholder Data 11.Test Security of Systems and Networks Regularly 12.Maintain a policy that addresses information security 12.Support Information Security with Organizational Policies and Programs
- 41. Major Updates to PCI DSS v4.0 Requirements Title © ControlCase. All Rights Reserved. Requirement 1: - Changed the requirement title from “Install and maintain a firewall configuration to protect cardholder data” to “Install and Maintain Network Security Controls” Updated the requirement title to reflect the focus on broader “network security controls”. Replaced “firewalls” and “routers” with “network security controls” to support a broader range of technologies, including the cloud technology used to meet the security objectives traditionally met by firewalls. Requirement 2: - Changed the requirement title from “Do not use vendor-supplied defaults for system passwords and other security parameters” to “Apply Secure Configurations to All System Components” Updated the requirement title to reflect that the focus is on secure configurations in general, and not just on vendor-supplied defaults. Requirement 3: - Changed the requirement title from “Protect stored cardholder data” to “Protect Stored Account Data” Updated the requirement title to reflect the focus on account data. Replaced “Cardholder data” with “Account data” to apply the data protection requirements to cardholder data and sensitive authentication data, and not just cardholder data to be receptive to the needs of various parties such as Issuers 41
- 42. Major Updates to PCI DSS v4.0 Requirements Title © ControlCase. All Rights Reserved. 42 Requirement 5: - Changed the requirement title from “Protect all systems against malware and regularly update anti-virus software or programs” to “Protect All Systems and Networks from Malicious Software” Updated the requirement title to reflect the focus on protecting all systems and networks from malicious software. Replaced “anti-virus” with “anti-malware” throughout the requirement to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software. Requirement 12: - Changed the requirement title from “Maintain a policy that addresses information security for all personnel” to “Support Information Security with Organizational Policies and Programs” Updated the requirement title to reflect that the focus is on organizational policies and programs that support information security.
- 43. Goals for PCI DSS v4.0 © ControlCase. All Rights Reserved. 43 - Continue to meet the security needs of the payment industry Security practices must evolve to continue to meet the security needs of the payments industry as threats change. Example: o Made new updates to multi-factor authentication (MFA) requirements. o Updated password requirements in-line with current industry best practices. o Added new e-commerce and phishing standards to address the ongoing threats. o Updated requirements for Sensitive Authentication Data (SAD) secure handling. o Added authenticated internal vulnerability scanning requirement for a greater insight into organizations vulnerability landscape.
- 44. Goals for PCI DSS v4.0 © ControlCase. All Rights Reserved. 44 - Promote security as continuous process Promote security as a continuous process as ongoing security is crucial to protect payment data Example: o Clearly assigned roles and responsibilities for personnel working on each requirement. o Added guidance across requirements to help organizations better understand how to implement and maintain security. o Added new reporting option to highlight areas for improvement and provides greater transparency for report reviewers.
- 45. Goals for PCI DSS v4.0 © ControlCase. All Rights Reserved. 45 - Increase flexibility for organizations using different methods to achieve security objectives Provide more options and different validation methods to increase flexibility for organizations to achieve security objectives and supports payment technology innovation Example: o Allowed the use of group, shared, and public accounts with exceptions. o Introduced targeted risk analyses that empower organizations to determine the frequency of performing certain activities. o Introduced a new customized approach method to validate PCI DSS requirements, gives organizations another option to consider innovative methods to achieve their security objectives.
- 46. Goals for PCI DSS v4.0 © ControlCase. All Rights Reserved. 46 - Enhance validation methods and procedures Improve validation methods and procedures with Clear validation and reporting options to support transparency and granularity Example: o Increased alignment between information reported in a Report on Compliance or Self- Assessment Questionnaire and information summarized in an Attestation of Compliance
- 47. Compensating Controls vs Customized Approach © ControlCase. All Rights Reserved. 47 Compensating controls: • The entity cannot meet the requirement as stated due to documented technical or business constraints but has implemented alternative controls to mitigate the risk. Customized Approach: • The entity has mature risk-management practices and chooses to implement different controls that meet the Customized Approach Objective but does not meet the requirement as stated.
- 48. 8. PCI DSS v4.0 Timeline
- 49. PCI DSS v4.0 Implementation Timeline* 2022 Q1 Q2 Q3 Q4 31 March 2024 PCI DSS v3.2.1 retired 31 March 2025 Future-dated new requirements become effective 2024 2025 * All dates based on current projections and subject to change Transition period from PCI DSS v3.2.1 to v4.0 Official Release: PCI DSS v4.0 with validation documents ISA/QSA training and supporting documents 2023 Transition period from PCI DSS v3.2.1 to v4.0 Implementation of future-dated new requirements Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 49
- 50. Q1 2022 • PCI DSS v4.0 and validation documents were published 31 March • RFC feedback summaries will be available in the PCI portal • Blog and video content planned to introduce v4.0 Q2 2022 • Translations, supporting documents, and training will be available by end of June • PCI DSS v4.0 Global Symposium Q3/Q4 2022 • Engagement, stakeholder support • Additional guidance document updates
- 51. PCI DSS v3.2.1 to v4.0 Transition Q3 2022 Q1 2024 Q1 2025 • *End June onwards • QSA and ISA Transitional Trainings Available • All documentation released • Organizations can commence assessments against v4.0 using approved QSAs** *Based on current timeline ** QSAs must have successfully completed v4.0 training prior to undertaking v4.0 assessments • *31 March 2024 • PCI DSS v3.2.1 retirement • PCI v4.0 becomes the exclusive version for use • *31 March 2025 • New PCI DSS requirements with future dates become effective 51
- 52. 9. Get Involved
- 55. Q&A
- 56. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com contact@controlcase.com Download PCI DSS 4.0 Cheat Sheet Schedule PCI DSS Certification Discussion
Editor's Notes
- Organizations of all sizes rely on ControlCase’s certification and continuous compliance services to dramatically cut the time, cost and burden out of IT compliance. Unlike traditional consulting firms, we bring a partnership approach versus an auditor mentality to every engagement. We go beyond the checklist and provide the expertise, guidance and automation needed to more efficiently and cost effectively demonstrate and maintain compliance. Whether you're looking to satisfy regulatory requirements, meet customer demand or establish confidence with prospective customers, with ControlCase as your compliance partner, your workforce will be free to focus on their strategic priorities, and you’ll eliminate the hassle and reduce the stress associated with certification and continuous compliance.
- For background, the Payment Card Industry Security Standards Council is an open global forum created in 2006 by the five major card brands to develop, maintain and manage the PCI Security Standards. The brands share equally in governance and execution of the PCI Council’s work.
- But before I look more deeply into what has been going on, first let me introduce PCI SSC. Our mission is simple to help secure Payment data How to we go about that By developing standards and supporting service that drive education, awareness and effective implementation by stakeholders To help achieve this we have 4 strategic pillars that are aimed at …
- Before we go into the changes, wanted to provide a little insight into the development of the standard Held 3 separate RFCs while v4 was in development: 2 RFCs for the draft Standard and 1 for Validation Documents – includes reporting templates and attestation documents Incredible amount of input- over 6k comments from more than 200 companies over the course of these feedback periods In addition to RFCs, also did a survey on ROCs and AOC in 2019 – received about 700 comments from that survey So you can see this revision is the result of a collaborative effort with the PCI community
- Reasons for the updates: Requirement 1: Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls. Requirement 2: broadened wording since requirement 2 has always covered more than vendor supplied defaults – covers secure configurations in general Requirement 3: broadened wording to emphasize that account data, not just cardholder data, needs to be protected. Requirement 4: minor rewording to reflect focus on “strong cryptography”. Requirement 5: updated to clarify that “systems and networks” need protecting from malicious software. Requirement 6: updated to emphasize software rather than applications. Requirement 7: updated to include both “system components” and “cardholder data”. Requirement 10: updated to logs rather that “track” and to include system components. Requirement 11: updated to clarify requirements’ intended focus on systems and networks. Requirement 12: updated to emphasize the goal of over-arching policies and procedures.
- Two options in the standard now for validating Flexibility is a big part of v4.0 Stakeholders told us that would like to meet some PCI DSS requirements using different technologies As a result we explored other options an entit can use to mee a requirement and now there are two approaches Defined Approach - the traditional method for implementing and validating PCI DSS. In essence, this is what everyone is doing now. The entity implements security controls to meet the requirement as stated, and the assessor follows the defined testing procedures to verify the requirement is met. If an entity already has with controls in place to meet a req – and is comfortable with the current methods for validating controls to meet PCI DSS, there is no need to change. Additionally, the Defined Approach is good for those looking for more specific direction on meeting security objectives – including those who might be new to Information Security or PCI DSS.
- The Customized Approach focuses on a PCI DSS requirement’s CA security objective. The entity determines the controls that are used to meet the stated objective. The entity’s role with CA is to perform risk analysis and address the risk, define and document controls, and perform its own testing to verify the control is working. Because each customized implementation is different, there are no defined testing procedures. Instead, the assessor will be required to carefully evaluate the entity’s CA documentation, and then develop testing procedures that are appropriate to the specific implementation - And then to perform the tests to validate that the customized controls meet the stated Intent. This Approach provides entities greater flexibility to use alternate security controls (often meaning new technologies) to meet PCI DSS objectives. These new technologies often do not fit within the traditional method for implementing and validating PCI DSS. This takes a lot more effort than the defined approach and is best suited for risk-mature entities with robust security processes.
- Many people are familiar with compensating controls, and they are still an option for those using the defined approach. Compensating controls - for entities that cannot meet a req due to a business or technical constraint. Entities implement an alternative control that mitigates the same risk. But there is most likely an underlying non-compliant system or process that cannot be addressed. Often the CA objective cannot be met either. Customized approach - for entities that have an innovative approach to meet the objective of the req in a different way. The entity choses to implement a different control that meets the stated CA objective But the control may not meet the specifics in the PCI DSS requirement itself CAs require the entity have strong risk management practices and can document exactly how the approach meets the req’s objective. For compensating controls, appendices still present in the standard with guidance and a template. Added clarification that a CC cannot be used to retroactively to address a requirement that was missed in the past. For example, where a task that should have been performed, was not performed, and no action was taken at that time to address it. For customized approach, Appendices D and E in the standard provide more details on completing CAs and provide templates for the entity to complete (controls matrix and risk analysis templates).
- The Customized Approach is not what you do when you hit a problem during your annual assessment. It is not the responsibility of the QSA to define your Customized Approach It is your responsibility It is the responsibility of the QSA to validate your Customized Approach Customized Approach is not an easier option. It must as a minimum achieve the same level of security as the defined approach provides The entity and its assessor are expected to work together to ensure 1) they agree that the customized control(s) fully meets the customized approach objective, 2) the assessor fully understands the customized control, and 3) the entity understands the derived testing the assessor will perform
- An entity that completes a SAQ is not eligible to use a customized approach. However, an SAQ-eligible entity may elect to have a QSA or ISA perform their assessment and document it in a ROC Template. The use of the customized approach may be regulated by organizations that manage compliance programs (for example, payment brands and acquirers). Therefore, questions about use of a customized approach must be referred to those organizations, including: for example, whether an entity that is eligible for a SAQ may instead complete a ROC to use a customized approach, and whether an entity is required to use a QSA, or may use an ISA to complete an assessment using the customized approach. Information about the use of the Customized Approach can be found in Appendix D and E of PCI DSS v4.0
- To highlight some of the guidance we’ve added to v4.0. For instance: PCI DSS applicability information section Some PCI DSS requirements may apply for entities that do not store, process, or transmit PAN Clarified terms account data, CHD, SAD, and PAN are not interchangeable and are used intentionally in PCI DSS (meaning when we say PAN we mean PAN and not all account data) PCI DSS and Software Standards Rewrote this section to cover all PCI software standards Added new appendix F to discuss role of PCI software standards in helping to address elements of Requirement 6. Mentions that PA-DSS is retiring in 2022 Added a diagram to “Scope of PCI DSS requirements” section for “Understanding PCI DSS Scoping” – adapted from our scoping information supplement Third-Party Service Providers Lots of new guidance (some from existing FAQs) to clarify third party relationships – I encourage you to review this section thoroughly if you haven't already Description of Timeframes – to clarify frequencies and timeframes specified in PCI DSS requirements, and related expectations. New section to introduce customized approach (and new appendices at D and E to provide more details about CA) And this new diagram that you can see on this slide Replaces content of first page of the Detailed PCI DSS Requirements and Testing Procedures, Right before the actual requirements and testing procedures starts Graphic to explain all the parts of the requirements and to define/explain the newly added sections in the Guidance column. We also reformatted the guidance column that is included in each PCI DSS requirement, adding headers to clarify the content. And some of the guidance, which was more about how or to which entity the requirement applies, was moved to a new section under a requirement, called Applicability Notes. And we’ve put the PCI DSS glossary in the standard now, in App G.
- We are often asked how PCI DSS supports New Emerging Technologies in payments PCI DSS has always been technology-neutral, - The requirements are intended to apply to all types of environments. Even if a type of technology is not specifically called out in the standard, the intent of the security requirements is still applicable. Version 4.0 – we refocused requirements and added objective statements to better emphasize its broad applicability to technologies of all types. In addition, PCI DSS v4.0 includes the Customized Approach for most requirements, specifically to provide entities that have implemented strong risk management practices with more flexibility if they are using different ways to achieve the requirement’s defined objective using different technologies and processes. A bit more on the CA in a couple of slides. Having said that, we did add emphasis to cloud in several areas: In the scope of PCI DSS requirements where numerous types of system components are called out Reworked Appendix A1 Used to apply to shared hosting providers, those entities are now called multi-tenant service providers, with a definition that makes clear this applies to cloud providers as well New requirement for multi-tenant service providers to support or provide evidence to customers for pen testing.
- 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes: Identifying all data flows for the various payment stages Update all data-flow diagrams per Requirement 1.2.4. Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: Any locations outside of the currently defined CDE, Applications that process CHD, Transmissions between systems and networks, and File backups. Identify all system components in the CDE, connected to the CDE, or that could impact security of the CDE. Identify all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. Identifying all connections from third-party entities with access to the CDE.
- PCI DSS v3.2.1 will remain active for two years after 4.0 is released. 31 March 2024 is the date when v3.2.1 will be retired. This transition period designed to give orgs. time to become familiar with changes in 4.0; In addition to that two-year timeframe, most of the new requirements are initially best practices in v4, and there is a further period of time after the retirement of v3.2.1 before these best practices become requirements. That effective date for these new requirements (on the far right in this diagram) will be 31 March 2025. It is worth noting that there are a lot of new and updated requirements, and we strongly encourage entities to start familiarizing themselves with the changes and begin planning for any implementation updates they need to make – don’t want to wait until the last minute.
- PCI DSS v3.2.1 will remain active for two years after 4.0 is released. 31 March 2024 is the date when v3.2.1 will be retired. This transition period designed to give orgs. time to become familiar with changes in 4.0; In addition to that two-year timeframe, most of the new requirements are initially best practices in v4, and there is a further period of time after the retirement of v3.2.1 before these best practices become requirements. That effective date for these new requirements (on the far right in this diagram) will be 31 March 2025. It is worth noting that there are a lot of new and updated requirements, and we strongly encourage entities to start familiarizing themselves with the changes and begin planning for any implementation updates they need to make – don’t want to wait until the last minute.
- Along with the standard, the SOC, ROC and ROC AOCs have been released The preview version is no longer available in the PCI portal And for those who participated in the RFCs, the feedback summaries from the 2020 PCI DSS v4.0 RFC and the 2021 validation documents RFC are also now available in the PCI portal. With the SAQs to follow shortly in April. To help organizations plan for their transition, there are also a lot of supporting docs being released over the March-June timeframe… E.g., New/updated FAQs, Prioritized Approach, Quick Reference Guide are all being updated We’re also pleased to be rolling out several translations of the Standard and SOC over this release period – means the standard will be available in English and 7 languages along with QSA transition training (so they can perform v4.0 assessments) We are also planning a 3-4 hour Global symposium to present various PCI DSS v4.0 topics in June.
- This is the current transition timeline for v3.2.1 to v4.0 and also when the new requirements will be effective. Note that some new requirements are effective immediately for all v4.0 assessments. For example, those that are documentation based and are expected to already exist (roles and responsibilities, PCI DSS scoping) As previously mentioned, most of the new requirements have an effective date of 31 March 2025 – until that time they are best practices. However, an entity can include them in their assessment prior to this date if they are ready to do so. You can find details about whether a new requirement is effective immediately for v4.0 or is a best practice until 31 March 2025 in… the Summary of Changes from PCI DSS v3.2.1 to v4.0 - a great source of information for understanding all the changes in the Standard, as well as the effective dates of those new requirements.