Payment Card Assessments is dedicated to helping our customers ease the stress and burden that comes with achieving and sustaining PCI DSS Compliance.paymentcardassessments.com
Two years sounds like a lot of time to transition to PCI DSS v4.0. Three years sounds even longer to become compliant with the 50+ new requirements considered best practice until March 2025. Trust me when I say this, “time will evaporate right before your eyes”. If you haven’t started planning yesterday, you may already be behind the eight ball.
As you begin your transition to PCI DSS v4.0 your plan must:
- Remove weekends.
- Remove holidays.
- Remove vacations.
- Remove key people who will either retire, quit, or promote out of their current position.
- Factor in competing business objectives.
- Factor in competing priorities that are vying for the same dollars in the budget.
- Factor in the budget and get in front of all remediation issues sooner rather than later.
- Factor in competing resources.
- Factor in selective amnesia, PCI fatigue, and a collective resistance to change.
- Include a communication plan to your company’s senior leadership team.
Examples of new requirements that may require merchants to start now and not wait until the last minute to implement:
- Most merchants struggle with the accuracy of their scope. Up until v4.0, reviewing your scope hasn’t been required. Now it is. If you don’t have a handle on your scope today, you need to become intimately familiar with you scope as soon as possible. And that means putting processes and procedures in place to manage and monitor all your in-scope assets. If you’re struggling with scope, we can help.
- If you’re already using multi-factor authentication to access your cardholder data environment, you’re in a great position. However, if you haven’t implemented MFA, today is a good day to put a plan in place to be compliant long before the deadline. Now is the time to vet your MFA vendors, select your solution, present your budget and your implementation plan. The time to start is now; not tomorrow.
Half a dozen or so new requirements call for a risk analysis to determine the frequency you must perform a test of the control, for example:
- PCI DSS 188.8.131.52 A targeted risk analysis is performed to determine frequency of periodic malware scans.
- PCI DSS 10.4.2.1 A targeted risk analysis is performed to determine frequency of log reviews for all other system components.
- PCI DSS 12.3.1 A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed.
Your Risk Assessment team needs to be informed NOW rather than on December 31, 2023 that they’ll have more risk assessments that need to be performed for PCI DSS Compliance. Up until now, they’ve only had the annual PCI DSS 12.2 risk assessment to comply with. Schedule that conversation today with your risk assessment team. They’ll thank you for it.
How would you rate your current PCI DSS Compliance Program today?
Merchants that have a robust PCI Sustainability program in place and a mature PCI Compliance posture today won’t have a huge leap to lead their organization into PCI DSS v4.0. Perform your gap assessment now. The PCI Security Council has the documents you need to perform an internal gap assessment and determine what you need to do to uplevel your PCI Compliance program.
Merchants who don’t have a PCI Sustainability Program in place and don’t have repeatable, defined processes in place will struggle with the changes in v4.0. At Payment Card Assessments, we’re dedicated to helping merchants was the stress and burden that comes with achieving and sustaining PCI DSS Compliance. With a combined 20+ years of PCI DSS experience at a level 1 merchant, we have “in the trenches” knowledge and expertise when it comes to PCI Compliance.
If you’re scratching your head trying to figure out what you need to do between now and 2024, request a call back today.