It’s hard to believe that a year has passed since PCI DSS version 4.0 was released as the new standard for the Payment Card Industry. That means the clock is ticking for organizations to meet the new controls when the current version, 3.2.1, sunsets on March 31, 2024.
Whether your business has already taken significant steps toward meeting the 12 revised controls in version 4.0, or is at the early stages, we’ve got you covered. Here’s how you can gauge if your enterprise is in the fastest lane toward compliance, and how to conquer two of the most significant revisions to PCI DSS since 2018.
PCI DSS 4.0: The Basics
As a refresher, stores, online retailers, and other organizations involved in payment card processing are expected to protect data through this overhaul of the Payment Card Industry Data Security Standard. The much-anticipated PCI DSS 4.0 covers a broad range of security topics, including network configuration, data protection, internal control, and policy development. Check out the Productivity Protected Podcast for details.
While US Federal law does not mandate these controls—which also apply to entities that store, process, or transmit cardholder data—failing to implement them can impact an organization’s bottom line and reputation in an era when regulators are watching closely. Credit card brands enforce these standards and companies that are non-compliant can face fines and greater penalties.
Adhering to PCI DSS also demonstrates that an enterprise is doing everything possible to reduce the vulnerabilities and risks to the PII data it is entrusted with. No organization wants to be in the headlines for the wrong reason, or face the cost of a data breach, which today averages $4.24 million.
Halfway and Counting
This halfway milestone is an opportune time to pull out the PCI DSS 4.0 standard and gather pertinent team members to review the requirements and determine where your organization stands today.
Which revised controls has your organization checked off and is confident the organization is meeting effectively? If assessors have been pleased with your progress in approaching compliance, take a moment to applaud your team for what was likely a heavy lift: More than 50 percent of organizations fail their interim PCI DSS validation assessment due to missing security controls. What goals, strategies, and timelines does your company have in place for reaching the finish line? What is blocking progression on any specific controls? Does your team have the right tools to master them? Who can your organization partner with to achieve compliance by March 31, 2024?
To illustrate how your organization can solve for even the most significant changes brought on by the new standard, here’s a closer look at ways to meet and maintain two of the requirements.
Discovering the Unexpected
One of the areas of focus is including cardholder data within the incident response procedures any time it is found in unexpected areas. Requirement 12.10.7 labels this as a “best practice” until March 31, 2025, after which it becomes a firm requirement of the standard.
This raises a question for organizations: How do you alert for something you’re not scanning for—and in real time?
Performing data discovery on a system or within an application every quarter, six months, or longer will not provide those necessary assurances to meet the standards, either yours or those of PCI DSS 4.0. Even as the regulations have not underlined this topic in past versions, the discovery of cardholder data in the wrong place should always be treated as a security incident.
Making Scope Reviews Routine
Under the new standard, organizations will likely be required to conduct scope reviews more frequently to ensure and demonstrate that their controls are in place and effective. Besides mandating enterprises to perform a documented scope analysis every 12 months, requirement 12.5.2 adds an additional burden to review their PCI DSS scope and document it with executive management when a “significant change” occurs.
The clearer definition of “significant change” within version 4.0 emphasizes that it is commonplace in most organizations. Adding servers, changing vendors, or making major software or hardware upgrades can trigger this requirement.
Yet, performing scope reviews at scale is challenging for many companies, underlining the critical need for adopting an automated scanning and protection platform. A quick review of a database isn’t enough to ensure a scope is accurate and data has been inventoried. And, if a company doesn’t know where all its PII data is, it can’t confirm compliance for an assessment.
Prepare for PCI DSS Version 4.0 with PKWARE
PCI DSS compliance isn’t new; organizations have been practicing compliance with versions of the mandate since 2006. And for nearly as long, PKWARE solutions have been keeping enterprises informed on what, where, and whose data exists across their organization so they easily maintain visibility and control of it.
With solutions like PK Protect, organizations can perform real-time discovery across a myriad of platforms, including all common user technologies, whether the organization considers the location part of the PCI scope or not. When data is discovered, the PK Protect platform empowers organizations to properly alert on sensitive data discovery. This allows data discovery events to be handled in the same way that the security teams manage existing incidents, without the need for new or additional applications or complexity.
With the deadline for complying with PCI DSS 4.0 now less than a year away, determining if your organization is on the right path to empowering your team with the tools it needs to raise the security of data and more easily meet compliance will help make March 31, 2024 a day to celebrate, not dread.
More than 90 percent of the organizations that use PKWARE solutions for PCI DSS compliance have maintained compliance for 5 – 10 years. You don’t have to do it alone. PKWARE can help. Request a demo to learn more.