Deadlines aren’t bad. They help you organize your time. They help you set priorities. They make you get going when you might not feel like it.
Unless you’ve been living under a rock, PCI DSS v4.0 goes into effect on March 31, 2024.
You’ve got 7.5 months to get compliant with 11 new requirements.
The 11 new requirements you must have in place in 8 short months all boil down to the FIRST of four key processes that will have you rocking your 2024 PCI Report on Compliance.
Your mission, if you choose to accept it, is to have these key processes in place by December 31, 2023.
Why? You need time to kick the tires, drive these new PCI processes around, work out the kinks in communication, roles, responsibilities and level of work effort.
Here’s 4 key PCI DSS Compliance processes that you can implement before year end.
I know you can do it.
Key PCI DSS Compliance Process #1: Get a Grip on Your PCI Scope
If you’ve heard me mention anything about having an accurate scope for your PCI Compliance Program, you know this is a process near and dear to me.
Without an accurate scope, how on earth do you even know what you’re supposed to assess?
The success of your PCI DSS Compliance program depends on how well you manage everything that’s in scope for PCI DSS assessment.
Here’s a few reasons why scope matters:
- You need to maintain an accurate asset inventory
- PCI DSS v4.0 Requirement 12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. (This maps to PCI DSS v3.2.1 Requirement 2.4)
- New Requirements for Scope Management
PCI DSS v4.0 Requirement 12.5.2 (NEW!!!): PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.
PCI DSS v4.0 Requirements 1.1.2; 2.1.2; 3.1.2; 4.1.2; 5.1.2; 6.1.2; 7.1.2; 8.1.2; 9.1.2; 10.1.2; 11.1.2 (NEW!!!): Roles and responsibilities for performing activities in [each requirement area] are documented, assigned, and understood
If you need help with your Scope, download our ultimate guidebook today!
Key PCI DSS Compliance Process #2: Targeted Risk Assessments
If you haven’t told your Risk team that their PCI DSS Compliance responsibilities will increase with v4.0, now is a good time to review what may be coming their way.
It’s important to note that Targeted Risks Assessments are best practice until March 2025. However, the sooner you get your Risk Assessment team onboard, the easier these will become. I highly recommend that you have this future dated requirement in place by the end of THIS YEAR.
Targeted Risk Assessments (TRA) are new to v4.0 and you’ll see them attached to requirements that give flexibility to how often an organization performs certain security and or compliance tasks. For example, requirement 5.2.3.1:
“Examine the entity’s targeted risk analysis for the frequency of periodic evaluations of system components identified as not at risk for malware…”
Another example, requirement 11.3.1.1
“Examine the entity’s targeted risk analysis that defines the risk for addressing all other applicable vulnerabilities (those not ranked as high-risk or critical per the entity’s vulnerability risk rankings at Requirement 6.3.1)”
Furthermore, all targeted risk analysis must follow PCI DSS v4.0 Requirement 12.3.1:
Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a documented targeted risk analysis.
We’ll be exploring this key PCI DSS Compliance process in an upcoming workshop.
Key Process #3: The Customized Approach
If you plan to use the customized approach to meet any of the PCI DSS Requirements, I strongly recommend that you proceed with caution.
The new customized approach for PCI DSS v4.0 is not the “woo hoo” you’ve been looking for.
No. It’s not a free pass to do whatever you want.
Sorry, it’s not a compliance time saver.
Nope, it’s not a compliance cost cutter either.
And it’s definitely not the same as a compensating control.
This key PCI DSS process is ONLY for organizations with a mature continuous compliance program.
Before you decide to use the customized approach, read the fun facts below.
If you’re a member of our PCI Resource Center, you can refer to the on demand course, “Decrypting PCI DSS Requirements” for 7 important facts about the customized approach.
Key Process #4: Items Noted For Improvement
If you’ve been flying by the seat of your PCI DSS Compliance pants, this new key process will have you getting your compliance ducks in a row.
There’s good news and bad news with this new process.
The good news is that it only applies to Level 1 merchants.
The bad news is that it only applies to Level 1 merchants.
Introduced by the PCI SSC on June 28, 2023, the Items Noted For Improvement (INFI) worksheet must accompany your annual Report on Compliance.
If your PCI Compliance program is in tip top shape, you’ve already been doing something like this. Your program operates in a state of continuous improvement.
However, the statistics from the annual Verizon Payment Security Report don’t lie. Most organizations struggle to maintain PCI Compliance after the ink’s dry on their RoC.
When it comes to the INFI, it’s far better for you to identify the security controls and processes you need to improve or remediate and then do it. This shows both your QSA and Acquirer that you take your PCI Compliance responsibilities seriously.
You can find everything you need to know about INFI here.
How Can We Help You Get These 4 Key PCI DSS Compliance Processes In Place?
We have several ways we can help you get these processes implemented by the end of 2023.
At Payment Card Assessments we’ve created the 3 Pillars of PCI Compliance Excellence. Whether you need help with one or all pillars, we’ve got your back.
