Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: PCI-DSS Version 4.0.1 Overview
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd give an overview the BRAND NEW PCI-DSS 4.0.1! The council has just released the most recent update and the CU guys have the listeners covered with a highlight reel of all the significant modifications!
For additional information, go to the TCT website shortcut by going to the TCT Website; then click Resources and blog on the top navigation; then search for the PCI-DSS 4.0.1 blog that we released on June 13, 2024. In that blog there’s a link to the PCI SSC document which fully details the summary of changes from 4.0 to 4.0.1
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside Paul Rever3e of your compliance revolution, Mr. Adam Gosselin. How the heck are you, sir? I’m doing great, Todd. How about yourself? Man, I cannot complain. We’re out here spreading the good news, as it were, and in this case, we’re going to have a conversation about PCI DSS version 4 .0 .1. So on June 11th, Adam, the PCI SSC released version 4 .0 .1 of the PCI DSS. What should our listeners be mindful of here? So when it comes to the latest update, the update was to PCI DSSv4. So that was just released. And I think it’s going to be a welcome change for organizations that need to comply. I reviewed their summary of changes that was issued by the PCI Security Standards Council. And I expect that the version 4 .0 .1, it’s going to take some stress off of many companies’ shoulders as they’re navigating the waters. The update to the PCI DSS doesn’t add or remove any requirements instead. And it was primarily focused around a secondary round of additional clarity based on various feedback that the council had received.
Also did some correcting of some issues and errors that they had in the original 4 .0 release. It seems anytime they release, especially when they release a new major version, it’s not uncommon to see them cycle back relatively quickly with kind of a round of changes from all the initial feedback that they received.
Well, can you give the listeners a highlight reel of like the most significant modifications we’ve seen? Sure. So, you know, there’s the, you know, these are going to be kind of the most interesting changes, you know, as we go through the process. You know, of the various updates that were made under V401, the most significant ones are kind of contained in requirements 6, 8, and there’s a little bit in 12 as well. So, I’ll kind of go through those as part of this segment. You know, most of the remaining changes under 401 were clarifications, fixes to typographical errors, you know, things along those lines. So, under requirement 6, the Council had removed some language it had added for version 4, you know, specifically talking about the requirement that the requirement had applied to high security patches and updates. What they did is they took that language, ended up rolling it back to what they had under V321 just to make it a lot more clear. That requirement now indicates that it’s applying to critical vulnerabilities. Under, you know, requirement 643 had some added clarification about the inventory of the scripts that needs to be maintained and keeping up with written business and technical justifications for why those scripts were necessary. They also added several applicability notes to clarify how requirement 643 applies to an entity’s web page and to third -party payment processors embedded payment pages or forms. So, all of those changes under 6 are going to be helpful for those going through PCI DSS, you know, and especially with this kind of net new requirement, you know, in mind that it’s going to help them out a lot. Under requirement eight, generally speaking, a lot of the clarifications improved guidance surrounded multi -factor authentication or MFA. You know, they provided coherence about the applicability of the controls within the target environment depending on their configuration. So, for an example, MFA for non -administrative access to your cardholder data environment, you know, doesn’t apply to user accounts that are only authenticating with phishing resistant authentication factors. There’s several clarifications around MFA, which will help organizations more clearly understand their obligations, what their obligations are and who those requirements apply to. The MFA applicability was a kind of a big hop button, especially even from the early days of the PCI forward discussion. So it’s good to see them come back and provide some additional clarity there. In addition, under requirement 12, they had a, they’d implemented a number of changes surrounding the relationship between customers and third -party service providers, you know, at a high level, this has been a requirement for a long time, you know, but the messaging, you know, to those subject to compliance has continued to evolve. This update gives a lot more clarity about your relationship with your third -party providers, you know, who needs to be doing what, who needs to have which documentation, who needs to hold which contractual obligations and more. So again, that clarity will help the folks that are, you know, that are actively kind of going through, going through PCI DSS 401. Sure, now that’s a lot to ingest in a podcast.
So if the listeners wanna get a full review of the changes to review for themselves, how can they get those? If they go to the TCT website, you can get to it with a shortcut, go to just like open your browser, go to gettct.com, then that’ll redirect to the totalcompliancetracking.com site, the users are welcome to type all that in if they’d like, but click on resources on the top nav. And then, then look for the PCI DSS 401 blog that we released on June 13th of 24. In that blog, we’ve got a link to the PCI SSC document that details the detailed summary of changes from four to 401. So they’ve got that capability to go in there and kind of connect to the full list, if they wish. Sure, okay, well, that’s pretty cool.
Now, what are some of the frequently asked questions regarding the changes? Well, one of the bigger ones is whenever they release a new version, they will set up a date. There’s normally a period of crossover between like right now we’ve got four and now we’re moving to 401. They usually have both of those running simultaneously. So, So in the same as the case with this release of 401, PCI version 4 will officially be retired on December 31st of 2024. So after that point, anybody that is becoming compliant will certainly need to use the PCI 401 as the standard under which they certified. The good news is the majority of the changes that they made under 401 aren’t going to be materially impactful for an organization if you’re already pursuing a V4 certification. The good news is that the TCT portal has the capability to easily port information from an existing 4 .0 track to a 4 .01 track.
So the update really is no big deal if you’re a TCT portal customer. You can just send a quick note in a portal support, ask them to convert your track, and you’ll be off and running. But it’s just one of the ways that TCT tries to make people going through compliance make their life easier.
Another frequently asked question, were there any impact to those requirements under 4 that had an effective date of March 31st of 2025? And the answer is no, those requirements haven’t changed in any way. Another common question, are there any new requirements under PCI DSS 401? No, there are no new requirements with this particular update. And the last big question, and this isn’t uncommon for them to do it this way, but when they released the 401, 401 changes, they basically released the summary of changes, released the updated standard, but what they didn’t release was they didn’t release the templates for the 401 ROCS, SAQ’s, AOCs, etc., and that’s not uncommon, you know, so there’s no firm date on that yet, but according to the PCISSC, they said that they’re targeting Q3 of this year. So we’ll expect that once the ROC SAQ and AOC templates are all released, then probably following that, they’ll go in and make another round of updates to all the, you know, other supporting documents. So, you know, for the moment, TCT went in, we went in, we updated our PCI certification track so that organizations can leverage that in order to manage their compliance engagements, and once the updated templates have been released, then we’ll go ahead and just swap out the recording templates for, you know, ROC SAQ’s, AOCs, you know, once those become available, but, you know, you can rest assured, TCT will be keeping an eyeball open for those and being ready, at the ready, to go ahead and, you know, get those pushed up and onto the TCT portal.
Copy parting thoughts and shots for the folks this week, Adam. Well, you know, the 401 update was issued June 11th, round one in the afternoon, Eastern, and within an hour, TCT had our hands on it. We were starting analysis of modifications and changes. I think, in fact, I think you and a couple of folks on the team were on with our, had a product, had a product, Jon, when, you know, when that, it was like released and, you know, got to go, you know, type of deal, and so, you know, we had already, we went through. reviewed those internally and sat about deploying the updates for the PCI 401 track to TCT portal. You know, the updates to the 401 track are done. They’re live for any of our TCT portal listeners already. But we basically, we knew we wanted to move fast with this update. TCT has a lot of clients that leverage the PCI DSS, you know, and certainly it’s our priority to be all over it whenever there’s, you know, changes to, you know, in the PCI realm. You know, the reality is, is that we serve organizations that, you know, are across the whole breadth of compliance, you know, assessment firms, service providers, compliant organizations. So all of these, you know, organizations, you know, have, you know, themselves or clients and customers that are, you know, that are depending on them. And you add up all those various stakeholders and you’re literally looking at tens of thousands of organizations, you know, that are impacted by PCI compliance. So, you know, we just, we saw that as a, as a huge responsibility, you know, responsibility of ours, you know, we have at TCT, you know, countless individuals that depend on us to, you know, serve them expediently and reliably, you know, as we go through and we’ve kind of done from, you know, from day one, you know, which we’ll continue to do, you know, that’s the reason we were, you know, primed and ready to go when, you know, when 401 was released, you know, we have clients that, you know, that need those updates quickly, you know, when we took that to heart, a lot of the times the, especially the, the, the assessor firms, the minute these, these updates go out, they’re getting hammered with questions and, hey, what about my engagement and things along those lines? So the faster that we were able to move, the faster we’re able to, to empower, you know, our clients to, to be able to handle the work that they do with our portal, with their customers. You know, we saw it from the start to make a compliance management tool that makes compliance management suck less for you know for, for everyone in the in the security and compliance space. So we’re just we look at it as part of the job Absolutely, and that right there.
That’s the good stuff Well, that’s all the time we have for this episode of compliance unfiltered I’m Todd Coshow and I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less
