5 Things To Know About PCI DSS 4.0 and the 2024 Deadline

Member News
Blog
PCI
Bluefin
Jul 06, 2023
Blog

By Joy Savula, Marketing Manager, Bluefin

The PCI DSS standard is designed to protect consumer cardholder data with policies and procedures designed to secure credit, debit and cash card transactions and protect cardholders against misuse of their personal information. To learn more about the implications of the upcoming version 4.0, Bluefin sat down with industry security and compliance expert Dan Fritsche and asked about the key questions and issues organizations need to know about.

 

Q #1: What was the catalyst in the payment landscape that sparked a need for an updated standard?

Fritsche: “Some people like to say that Covid and data breaches are the reason for the new version, but for the record, the PCI Security Standards Council (PCI SSC) has a cadence in which they take feedback on a regular basis from the payments industry. They look at what is happening in the payment environment, use other standards, track feedback from PCI participating organizations and work with industry experts such as National Institute of Standards and Technology (NIST) so that new versions are not created in a vacuum. This process has changed significantly from the early days of 1.0, and for the 4.0 version, there were three rounds of feedback totaling over 6,000 lines of input that they took from over 200 companies.”

 

Q #2: What are the most important aspects of version 4.0?

Fritsche: “In the past, a new version would be released and there was a hard switch to the new requirements. There was some warning and some time to get ready, but with version 4.0, they have improved the process by spreading out the timeframe of implementation.

Version 4.0 has over 50 new requirements, with 13 effective as 4.0 is rolled out, meaning everyone will need to meet those by March 31, 2024 if not sooner. The remaining requirements are listed as best practices and will become requirements as of March 31, 2025, allowing flexibility for an organization to figure out what makes sense for them to implement in what order based on their specific organizational risks.

In addition, PCI SSC has increased flexibility for organizations using different methods to achieve security objectives. One way the standard does this is with the introduction of the new customized approach for meeting the new standard.”

In the past, organizations used what is now called the defined approach, best suited for organizations that already have controls in place to meet a requirement and are comfortable with the current methods for validating those controls. This approach is also suitable for organizations that are new to PCI DSS and may be looking for more specific direction on how to meet the various compliance objectives.

A customized approach is an alternative method that provides greater flexibility and is suited for organizations that want to use alternate security controls or new technologies that meet the objectives within the Customized Approach. The customized approach, Fritsche explains, allows the ability to customize the requirement in cases when the defined approach doesn't fit an organization’s needs.

“One of my favorite examples in the defined approach involved passwords. In the past, a password has been seven alphanumeric characters. That means the word “password” with a capital P is all you had to have. With the customized approach, it makes sure that your credentials are being properly protected, using authentication and best practices, and as an example, allowing for the potential ability to do a multi-factor without passwords. If you have the ability to get rid of insecure passwords all together, you would need to use the customized approach and make it clear as to how you do this in a secure manner within your organization.”

For any requirement in 4.0, either approach can be used. Fritsche anticipates that most organizations will use what he calls a "hybrid approach" - starting with the defined approach and leveraging the customized approach as appropriate.

 

Q #3: What are the best resources organizations can use to prepare for 4.0?

Fritsche: “The PCI SSC website is the best resource for information, complete with PCI DSS 4.0 Resource Hub, and training for assessors.”

He recommends that you start by reading the standard, understand the basics, and use the resources you have internally. Unless your organization has an Internal Security Assessor (ISA) on staff, you will want to engage a trusted advisor that can help leverage previous PCI assessments and navigate the new requirements. You want someone who is going to be completely honest with you and tell you things that you might not be excited about hearing. This individual will need to understand risk, put security first and then apply both to how your organization approaches compliance. By determining which best practices put your organization at risk, your trusted advisor can help reduce many of the risks and leverage this compliance standard in a way that will increase your business value.”

Fritsche also recommends doing gap assessments within your environment to understand the current controls and if there are any gaps to the new requirements.

 

Q #4: What is your best advice for organizations when it comes to implementing the new version?

Fritsche: “Don’t take the ’Let’s take a risk and wait’ approach. I have seen countless organizations wait until the last minute to address implementation. This ends up costing more money in multiple ways. You could pay more for an assessment, put your organization at risk, or lose business by putting it off. If you start now, you can identify which requirements will demand change in a way that's not disruptive to your existing business.”

Fritsche believes that the standard’s flexibility balances out the ability for implementation, preventing organizations from having to do a lot of work all in a short amount of time, which takes away resources that are normally allocated for other things.

 

Q #5: What costs should organizations be aware of in implementing 4.0?

Fritsche: “There will be costs associated with the actual assessment and sticking to the defined (traditional) approach will keep your costs closer to that of past assessments. The customized approach is what's going to drive the assessment cost to increase because it takes more time and more internal resources that you might have normally dedicated to other things within your organization. Spreading the costs using a continuous compliance model over a year instead of putting it all into a month will help to avoid that bell curve of expenses.

Additionally, there are costs for anything new you decide to implement or change in your environment, so it's important to start early to identify risks and gaps. You’ll save time and money in the long run by picking the right tools instead of trying to figure it out at the last minute and with expensive solutions that may not even be effective.

Overall, organizations need to drive continuous compliance, which integrates best practices across your IT and business environment with positive outcomes that reduce costs and increase efficiencies.

I would take 4.0 as an opportunity to turn compliance away from being a cost center and into a measurable benefit for the company. Tying your security into your risk postures and leveraging the changes to do positive, impactful things that can result in a return on investment.”

 

About Dan Fritsche

Daniel Fritsche's security and compliance expertise spans 25 years of success, leveraging innovative security technologies in the design and operation of secure application development environments, encryption technologies, and secure payment solutions. He is adept at demonstrating emerging technology solutions and architecture with company alignment to improve the business bottom line and security posture.

Daniel is a Certified Information Systems Security Professional (CISSP) and has held various PCI SSC certifications since 2008— including QSA, PA-QSA, P2PE QSA/PA-QSA, 3DS 3 years, and ISA. His combined enterprise technology, security, and compliance experience have made him an invaluable resource to many businesses struggling to manage complex cybersecurity challenges.

 

About Bluefin

Bluefin is the recognized integrated payments leader in encryption and tokenization technologies that protect payments and sensitive data. Our product suite includes solutions for contactless, face-to-face, call center, mobile, Ecommerce and unattended payments and data in the healthcare, higher education, government and nonprofit industries. The company’s 300 global partners serve 34,000 connected enterprise and software clients operating in 55 countries. Bluefin is a Participating Organization (PO) of the PCI Security Standards Council (SSC) and is headquartered in Atlanta, with offices in Waterford, Ireland and Vienna, Austria.

For more information contact Bluefin at https://www.bluefin.com/contact/

Tagged:
Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document