PCI 4.0 is slated to be released in 2020, and we’re starting to get some sneak peeks at what to expect. Among the changes, it looks like the upgrade will allow companies to take a risk-based approach to the standard. For many organizations with a mature security and compliance program, the change will be a real treat. But it’s a treat that will come with a few tricks up its sleeve.
Currently, PCI requirements are highly prescriptive, with little to no wiggle room. If you can’t meet the letter of the law, you need to provide a compensating control to make up for it. You must still meet the requirement, even if you can’t do it in the prescribed way.
In the new version of the standard, organizations will be able to elect a risk-based approach instead of the prescriptive approach. This effectively lets you decide what level and style of implementation to use, based on the level of risk involved. It appears that the decision on the approach you take can be made at each requirement level.
The change frees organizations up to make their best judgments about how to proceed. But organizations and their assessment firms may need to think twice before proceeding. So what’s the catch?
Bad Choice for Organizations?
To head down the risk-based path, you need to have a thorough and robust risk approach, which hinges on the quality of your assessment of risk. For small and medium-size businesses, or organizations that don’t have a mature security and compliance program, that’s especially difficult to pull off. Inappropriate decisions to forge ahead will put the organization and its responsibility to protect sensitive data in danger.
That kind of mistake could open you up to costly and public litigation. Someone else could come along and pick away to find factors that you didn’t account for. You don’t want to be forced to justify your position on your risk assessment, which could involve subjective reviews and findings.
If you have an assessment firm engaging with you, they may be fully qualified to tackle this new approach to PCI, but simply having an assessment firm won’t firmly shield you from the risk either. Did you introduce the assessment firm to every element, business process, and data flow that’s in play? If not, you could be exposed to problems you didn’t anticipate.
Most assessment firms turn the risk back onto the client by requiring them to sign off that everything they provided is accurate and complete. The assessment firm may be shielded, but the organization could be left exposed.
Tricky Issues for Assessors
For assessment firms, the underlying scope of each engagement is critical. It’s possible to forget about certain systems, and you may not even know about them because you were never told. If you choose to take a risk-based approach to a requirement that has a system you overlooked, it could create real trouble for your client.
Keep your eyes and ears open as you go through the engagement. Look for the gaps that didn’t get addressed up front — hints of missing scope.
For example, when you’re looking at the inventory, you may see items that weren’t allocated on other elements of documentation, such as the network diagram. You’ve got a potential system that wasn’t folded in. You’ll need to figure out what this thing is doing, and what it’s business function is.
Your client may forget to put an item on their inventory, but if that item is communicating with anything in the environment, they’ll have something in their firewall rules that shows the traffic exists.
I recommend cross-referencing the network diagram, firewall rules, inventory, and data flow. Bounce them up against one another to see if anything is missing on any of the documents. If anything has been overlooked, you’ll spot it on those particular documents. It’s a great way to ensure that you have everything covered.
PCI 4.0 Can Be a Treat, If…
The flexibility of PCI 4.0 will create new opportunities for businesses to get what they want out of the standard, but it’s not for every company. Large, seasoned companies that have plenty of experience and resources may opt to take advantage of the risk-based approach. It may look like a nice treat to smaller companies, but it could trick them into a costly result.
Get more insider content delivered to your inbox. Subscribe to the blog below.
