The new standard allows entities to choose between a defined and customized approach to PCI DSS compliance:
Defined approach: The traditional approach used to comply with PCI DSS. An entity implements the specific security controls and requirements as defined in the published standard, after which an assessor follows the standard testing procedures to verify all requirements are met.
Customized approach: The new approach that allows entities to comply with PCI DSS using innovative approaches or technologies not strictly defined by the standard. As every entity’s customized approach is different, assessors will also need to develop unique testing procedures to verify the customized controls meet required objectives.
PCI DSS v4.0 also allows entities to take a hybrid approach, using the defined approach to meet some requirements and the customized approach to meet other requirements. Even a single requirement can be split across both approaches, as long as the overall security objective of the requirement is met. Note that some requirements explicitly can’t be met using the customized approach.
A customized approach is recommended for risk-mature entities that can effectively design, document, test, and maintain security controls to meet PCI DSS requirements. “Yes, they’re giving you a free hand to customize some controls, but you have to perform a risk analysis at least every 12 months that’s approved by senior management. You need to see what could go wrong and how you can fix it to still meet the control objective,” says Juthani.
6 steps to prepare for PCI DSS v4.0
The day PCI DSS v4.0 is fully enforced will be here in no time. The sooner you start to prepare for the new standard, the smoother it will be to achieve compliance. Follow these six steps to get your teams and systems ready for PCI DSS v4.0:
Step 1: Create a transition plan
A clear transition plan gives your team time to properly implement the controls needed for PCI DSS v4.0 compliance. Understand what the standard entails, assess the controls you have and don’t have in place, and determine the necessary resources and steps to address any gaps in your security posture.
Step 2: Review potential changes to scope
Even if you’re familiar with PCI DSS v3.2.1, there’s are several changes that come with the new standard. For example, Requirement 3 has been expanded to not just protect account data, but all account data including PINs, card validation codes, and security-related information. Considerable changes like this make it critical to reevaluate the scope of your compliance operations.
Step 3: Conduct a people and process evaluation
PCI DSS v4.0 shifts security from being a point-in-time exercise to a continuous state of compliance. This involves engaging and training not just one team, but the entire organization to foster a security mindset. Everyone that deals with account data should understand the PCI DSS objectives, requirements, and why specific controls are implemented in daily operations.
Step 4: Assign clear roles and responsibilities
The new standard requires anyone interacting with your cardholder data environment or account data to be assigned clear roles and responsibilities. These roles should further be defined, communicated, and acknowledged by the individual. Getting all stakeholders on the same page can clear up any confusion about the transition and contributes to passing your PCI DSS assessment.
Step 5 (Recommended): Validate your customized approach
If your organization chooses a customized approach, you need to ensure its controls can sufficiently meet PCI DSS objectives. A targeted risk analysis is required every 12 months to help determine how often a specific control or activity should be done to maintain a certain level of risk.
(A targeted risk analysis isn’t mandatory in the defined approach, but it is recommended to help entities identify appropriate risk and mitigation strategies.)
Step 6: Integrate PCI DSS into business-as-usual practices
“You don't want to only look at PCI when an audit period is coming up. PCI requirements and controls should be part of your business-as-usual activities and strategic discussions,” says Juthani. “If you’re going through controls every single day, they become part and parcel of your operations and help reduce the risk of security incidents and breaches.”
Fast-track to PCI DSS v4.0 compliance