The asteroid that wiped out all of the dinosaurs on earth was only 10-15 kilometers wide. Globally speaking, that’s minuscule. But that tiny rock had an impact that changed the course of history.
PCI DSS 4.0 is the next little asteroid coming our way, and it’s aiming for your organization. If you haven’t started thinking about how it will impact your company, it’s time to take stock.
Whether you’re using a hodgepodge of spreadsheets or a homegrown compliance management system that you developed internally, you have some major retooling on your To Do list. Like an asteroid, updating your system might not seem like a big deal right now, but the shockwaves will be felt for years.
Before we tackle the task of retooling your compliance tracking system, let’s take a high-level look at the rollout of PCI 4.0.
The PCI 4.0 Update Will Come in Waves
It’s been eight years since the last major version of PCI was released, so there will be several fundamental modifications coming in version 4.0. Because of that, the PCI update won’t be a one-and-done switchover.
Instead, it’s going to come in waves. There will be a round of changes in March 2022, and a release of public reporting and documentation several months later. Training for Assessors should start in June. Expect another round of changes coming after that — likely, multiple rounds of changes.
That rollout has implications for the adjustments you need to make to your own system. You won’t be able to just set it and forget it. There are bound to be several iterative versions of the 4.0 standard coming. Every time, you’re in for more wasted time retooling and updating.
Preparing to Retool Your Compliance System
It would be great if you could get ahead of the curve and start retooling your system now, but no one knows what PCI 4.0 will look like — and we won’t know until it’s released. You’ll have to wait until the rollout, then go in and take a look at it and start learning the new version. Before you can begin retooling your compliance tracking system, you’ll need to understand what it is you’re aligning it with.
The onus is on your internal point person to understand PCI 4.0 and to have a certain level of insight to understand how the changes are applied. That level of understanding won’t come with a quick Google search.
When you originally set up your compliance tracking system, the existing version of PCI at the time was already mature — there was a wealth of resources you could turn to when you had questions. But v4.0 will be new for everybody. You won’t have industry knowledge or best practices to help you interpret the new requirements.
On top of that, the published list of changes from the PCI Council may only include major and moderate modifications. Minor changes may not be included in the list, which means you should plan to go through the entire PCI standard with a fine-toothed comb.
Retooling Your Compliance Tracking System for PCI 4.0
If you’re using a manual spreadsheet-based system, you’ll need to completely reformat your spreadsheets. All of the PCI references — requirement numbers, descriptions, and everything you’ve extracted before — you’ll need to go through that process all over again. You’ll also have to completely reorganize your file storage system to match PCI 4.0 formatting.
That’s a lot of work. It will involve going through v.4.0 line item by line item, comparing it to v3.2.1, noting every change, and figuring out how to adjust your spreadsheets and your storage system appropriately. It will be up to some poor soul to monitor the status of the project and to know who’s doing what, and to be in the center of the storm to get everything updated in time.
If you have a compliance management system that you’ve developed internally, you have the same problems as a company with a spreadsheet-based system — and then some.
Overhauling your homegrown compliance software means pulling some of the most expensive resources within your organization — the developers — and dropping them onto a side project for an extended period of time. That’s time that they can’t devote towards business priorities such as product development or billable projects.
Every time another wave of updates comes along, you’ll need to go back to the drawing board, take a look at what’s changed, and retool again. Your updated system could be in continual development for years.
The underlying costs of internal development are expensive. Do you want to spend those dollars on rewriting the system, or on taking care of your clients?
Avoid Retooling Altogether
If you switch to TCT Portal, you won’t have to do any retooling for PCI 4.0. All of the mappings from 3.2.1 to 4.0 will be automatically implemented for you. Migrating your data from a 3.2.1 track to the 4.0 track will be very straightforward, and we’ll help you with any unique needs you might have.
Getting started with TCT Portal is easier than you might think. From signed contract to implementation, once we have the setup information in hand, we can usually have your organization up and running in less than one business day.
TCT was founded on the principle that managing compliance shouldn’t suck and we love helping people. We made a commitment to our customers at the very outset that we would do everything in our power to simplify and streamline the process of compliance management.
So, when PCI 4.0 is released — and when the waves of subsequent versions come along — you won’t have to lift a finger or pull anyone away from their core responsibilities. You won’t even need to collect all of the guidance explanations together before you start working under it. TCT Portal will make PCI 4.0 manageable from the first day.
That asteroid coming your way? Not such a big deal after all.