The long-anticipated PCI DSS 4.0 update was released six months ago, and the PCI world is still buzzing over it. Not surprisingly, PCI 4.0 was the hottest topic at September’s 2022 North America Community Meeting in Toronto, Canada.
Things change in the security and compliance space over time. This major update is the PCI Council’s opportunity to integrate additional elements and keep PCI at the forefront of industry and technology trends.
But integrating 50+ brand-new requirements means there’s bound to be uncertainty and confusion about how those requirements play out.
QSAs often tell us that there isn’t complete consensus within their own teams about how to interpret the new items in PCI DSS 4.0. Here’s what QSAs told us at the PCI conference.
Interview Requirements Have Changed
One of the new changes involves how interviews are handled. For example, you no longer report the interviewee’s name. There is no place to note evidence of the interviews, either.
Instead, you fill out a table to declare that you’ve conducted the interviews and covered each of the topics. Then, as you go through the individual PCI requirements, you reference the specific interview that was related to each item.
Since there is no longer a place to note details of the interviews on each requirement, we believe that the Council expects QSAs to keep evidence such as work papers, interview notes, and recordings. You just don’t have to provide that confirmation in the ROC detail. You would only need to provide your work papers if the Council determines that there’s a reason to audit your firm.
There’s also a bit of confusion about the ROC itself. For example, how should you handle interviews with people who have multiple roles? The primary network administrator could also be the firewall administrator.
- Do you interview these people once and cover all of their roles, or do you need to hold separate interviews for each role?
- When you reference the interviews in the ROC, are you allowed to reference the same interview for multiple roles, or does each role require its own dedicated reference?
- If someone has four roles, do you need to have four separate entries?
There’s no clear direction at this time, but we can expect further clarification in the coming months.
Customized Approaches Are Now Allowed
Another major change is the new Customized Approach. This is intended for mature organizations that have been deemed compliant under PCI 3.2.1, but don’t quite fall in line with the defined approach that PCI has set for a particular item.
The organization has an established approach that meets the intent of the control, but may not have implemented it according to the letter of the law of the requirement in question. However, because of the size of the organization, making procedural changes is no simple task.
The customized approach provides a way to show exactly how the organization meets the intent of the PCI requirement. This allows organizations to implement controls to meet a requirement’s stated Customized Approach Objective in a way that doesn’t strictly follow the defined requirement.
Because each customized implementation is different, there are no defined testing procedures. Assessors need to develop testing procedures that are appropriate to the specific implementation in order to validate that the implemented controls meet the stated objective.
This is a great concept, but it isn’t a popular addition to the standard, because it requires a tremendous amount of work to go through a customized approach. Some believe it can be almost as time consuming as it would be to change the organization’s processes. We’ll see how it plays out.
The PCI Council Is On It
The PCI Council is listening to the input that QSAs are providing. Further changes are coming, which will make the standard easier to understand and use.
It’s typical for a governing body to issue a major release, gather feedback, and then issue several minor updates to the release. LIkewise, we can expect to see PCI DSS 4.1 coming before long. The update will address many of the requests for implementation approach options and new elements with greater clarity.
I would expect to see a fairly steady stream of incremental versions of the standard, not just a single update. With those versions, we’ll also receive FAQs and explanatory documents to help everyone better understand the new updates.
For the moment, word has it the Council is advising QSAs not to go full speed ahead with PCI 4.0 yet. That said, the major questions floating around tend to be related to procedure rather than functionality. That means TCT Portal’s PCI 4.0 certification is already robust enough to run an engagement whenever you’re ready.
TCT Portal Makes PCI 4.0 Easier to Use
From the perspective of compliance management software, TCT Portal is ready to rock and roll. The compliance software’s capabilities for PCI 4.0 include:
- Migrating evidence from overlapping requirements in v3.2.1
- Creating and linking Customized Approaches\
- Quickly referencing evidence IDs from Section 6 while entering in Report Instruction text
- Adding Justifications for SOAF (Summary of Assessment Finding) items
- Automating SOAF tables in ROC and AOC
These key features are here to stay, and TCT Portal has addressed them since the day that PCI 4.0 was released.
And you can expect TCT to continually improve our compliance management software. New features are already roadmapped and we’ll be introducing new automation capabilities in the coming months — making your job more and more streamlined and pain-free.
Get a Head Start on PCI 4.0
PCI updates could be coming around the New Year. Until then, you may want to get a sense of your clients’ readiness for the transition to v.4.0. TCT Portal can make that easy.
With our Live Linking capability, all of your client’s existing information can be automatically and instantly transferred over to PCI 4.0. It’s seamlessly mapped for you, so all you have to do is click the button and view your client’s readiness.
See the gaps, identify where they need additional evidence, and view what’s missing or incomplete. You’ll have a clear picture of the areas to prioritize when it’s time to start their transition.
Get PCI Clarity with TCT Portal
There may be confusion around the new changes to PCI 4.0, but one thing is clear: TCT Portal makes compliance management simple and straightforward. Starting from Day One, we have always welcomed suggestions and recommendations from clients.
As PCI 4.0 continues to receive new updates, you can count on TCT Portal to keep in step. It’s our commitment to provide the best possible experience for anyone who works with PCI 4.0.