Get Instant Access
to This Blueprint

Security icon

Prepare for PCI DSS v4.0

Start early with a collaborative effort for a successful transition to the new version the PCI DSS.

  • Complying with new PCI DSS requirements will require significant resources.
  • It is unclear how the new PCI DSS requirements will impact your IT environment and business procedures.
  • Not meeting compliance obligations will jeopardize trusted relationships.

Our Advice

Critical Insight

  • Your PCI compliance program needs to evolve to meet constantly evolving or new requirements.
  • It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.

Impact and Result

  • This approach is a straightforward guide to transitioning from PCI DSS v3.2.1 to v4.0, and is built on the following phases:
    • Defining and documenting the scope
    • Performing a gap analysis
    • Prioritizing and completing tasks and initiatives
    • Confirming gaps have been closed

Prepare for PCI DSS v4.0 Research & Tools

1. Prepare for PCI DSS v4.0

This storyboard describes the necessary steps to transition from PCI DSS v3.2.1 to v4.0, allowing the member to develop their own navigable road map for driving the transition.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

8.0/10


Overall Impact

$2,000


Average $ Saved

1


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

CPA Alberta

Guided Implementation

8/10

$2,000

1


Prepare for PCI DSS v4.0

Start early with a collaborative effort for a successful transition to the new version of the PCI DSS.

Analyst Perspective

“…organization will set you free.”

Alton Brown

The image contains a picture of Bob Wilson.

As the threat landscape shifts and risks to organizations evolve, so too must security standards to effectively address current and relevant risks.

To that end, the Payment Card Industry Security Standards Council has released version 4.0 of the Data Security Standards, the first major release since 2013. Changes are significant and may be onerous, even to those entities that are compliant with the PCI DSS version 3.2.1. One of the goals of the new version of the PCI DSS is to “promote security as a continuous process” and even though the effort to comply with updated and new requirements may be high, doing so will improve the information security posture of a compliant organization.

There may be a lot of work to do but given the generous three-year timeline between the publishing of the new standard and the date all new and updated controls become effective, there is time to tackle the effort in manageable chunks.

Bob Wilson, CISSP
Research Advisor, Security and Privacy

Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • Complying with new the PCI obligations will require significant resources; you must create a cost-effective plan to minimize business and IT operational impact.
  • It is unclear how the complexity of new PCI DSS requirements will impact your IT environment and business procedures.
  • Not meeting compliance obligations will jeopardize already trusted relationships with customers and business partners.
  • PCI DSS compliance goes beyond IT and requires participation from all business divisions.
  • Compliance may require drastic changes to existing business processes.
  • The full scope of the cardholder data environment may not be readily apparent.
  • Info-Tech’s approach to facilitate a transition from the previous version of the PCI DSS to the newest version will borrow from previous research.
  • This approach will assume the entity is already compliant with PCI DSS v3.2.1, as a starting point, and will proceed by:
    • Initiating the transition effort.
    • Defining and documenting the scope.
    • Performing a gap analysis.
    • Prioritizing and completing tasks and initiatives.
    • Confirming gaps have been closed.

Info-Tech Insight

Your PCI compliance program must evolve to meet constantly evolving or new requirements.

It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.

PCI DSS Overview

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard.

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls

2. Apply secure configurations to all components

Protect Account Data

3. Protect stored account data

4. Protect cardholder data with strong cryptography

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software.

6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access by business need to know

8. Identify users and authenticate access to components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Log and monitor all access

11. Test security systems and networks regularly

Maintain an Information Security Policy

12. Support information security with organizational policies and programs

The 4 goals of PCI DSS v4.0

Continue to meet the security needs of the payments industry.

Promote security as a continuous process.

Flexibility for entities to achieve security objectives.

Enhance validation methods and procedures.

  • Expanded multi-factor authentication and password requirements.
  • New e-commerce and phishing requirements to address ongoing threats.
  • Clearly assigned roles and responsibilities.
  • Added guidance on how to implement and maintain security.
  • Reporting option to highlight areas for improvement.
  • Allowance of group, shared, and generic accounts.
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

What’s different?

Different Approaches

Security as a Process

Evolved Requirements

Entities may choose
the defined approach:

requirements are implemented as described in the PCI DSS,
OR
a customized approach:
entities can implement controls in a way that meets the requirement objectives.

Version 4.0 of the PCI DSS focuses on promoting data security as a constant process, rather than a periodic event. There are requirements to monitor the effectiveness of controls as part of a
Business as Usual process.

Requirements were updated or added to address current risks and technologies. Some changes in languages better accommodate cloud services.

The types of changes

Evolving requirement - Changes to ensure that the standard is up-to-date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.

Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.

Structure or format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.

New Requirements

New requirements were added

A total of 64 requirements have been added to version 4.0 of the PCI DSS.

New requirements become effective March 31, 2024

The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

New requirements only for service providers

11 of the new requirements are applicable only to entities that provide party services to merchants.

PCI DSS v.4.0 transition timeline

The image contains a screenshot example of a PCI DSS v.4.0 transition timeline.

A transition strategy

The image contains a screenshot of an example of a transition strategy.

The Info-Tech difference:

  1. A focus on compliance as a business issue, rather than an IT issue, ensures impacts to business processes can be recognized and everyone understands their role in compliance.
  2. Properly defining the scope for PCI DSS and reducing the scope where possible reduces the effort needed to maintain compliance.
  3. Prioritizing gap remediation will make compliance efforts more efficient and will result in tangible successes delivered in an appropriate timeframe.

PCI DSS v4 compliance road map

  1. Transition kick-off
  2. Formally kick off the process of transitioning to PCI DSS v 4.0.

  3. Document and define scope
  4. Determine the boundaries and components of your cardholder data environment (CDE).

  5. Perform gap analysis
  6. Complete the Self-Assessment Questionnaire (SAQ) to determine gaps or engage a third party.

  7. Remediate gaps
  8. Prioritize, plan, and execute tasks and initiatives that will close gaps.

  9. Confirm remediations
  10. Revisit the SAQ and check that gaps have been closed.

1. Transition kick-off

Officially kick off the effort to transition from v3.2.1 to v4.0

Activities

  1. Communicate the need for change to senior leadership and secure their support.
  2. Communicate the need for change to your organization.
  3. Identify a person or group of people responsible for driving the project:
    1. A small committee representing all relevant business components is highly recommended.
    2. Assign roles and responsibilities.
  4. Review the PCI DSS v4 and become familiar with the requirements and objectives.
  5. Engage with your QSA for guidance.

Info-Tech Insight

Documentation is one of the most important activities in this effort. Be sure to capture details of your communications, scoping, and plans.

Info-Tech Insight

Compliance with the PCI DSS is a business issue and can only be achieved with participation across all business units.

Outcomes of this step

  • A mandate for change by senior leadership
  • A group of individuals from different business components that will drive the transition

2. Document and define scope

Determine the boundaries and components of the cardholder data environment

Activities

  1. Identify all components and systems that may store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).
  2. Produce a logical map of the cardholder data environment (CDE). Include:
    1. All components that may transmit, store, or process CHD/SAD.
    2. System and network boundaries.
    3. Traffic flows and connections to other systems or third parties.
  3. Reduce scope, if possible.
    1. Segregate your CDE and non CDE systems.
    2. Eliminate the handling of CHD/SAD where possible.

Info-Tech Insight

Segmentation can significantly decrease the burden of compliance by reducing the size of the environment to which the PCI DSS is applicable.

Info-Tech Insight

Requirement 12.5.2 (effective March 2024) states the entity must document and confirm PCI DSS scope at least once a year or on significant change.

Outcomes of this step

  • Documentation of your cardholder data environment.
  • Catalog of systems and devices.

Defining scope

Category 1: CDE

  • System components that process, store, or transmit CHD/SAD.
  • System components that have uncontrolled access to systems that process, store, or transmit CHD/SAD.
The image contains a screenshot of the defining scope and demonstrates each category to PCI DSS.

Category 2: CDE adjacent

  • System components that provide security services (e.g. remote access/Firewalls/IPS/etc.) to Cat 1 systems.
  • System components that can initiate controlled connections with Cat 1 systems.
  • System components that can only receive controlled connections from Cat 1 systems.
  • System components which, through indirect and controlled access, can administer Cat 1 systems.

Category 3: Everything else

Systems that do NOT store, process, or transmit any CHD/SAD and are isolated from Category 1 and Category 2 systems

3. Perform gap analysis

Do a gap analysis in-house or engage with a third party.

Activities

  1. Decide if the gap analysis will be performed in-house or by a third party.
  2. If the decision is to perform the gap analysis in-house, choose the appropriate SAQ for your organization and complete it
    1. It will be helpful to refer to the previous SAQ.
  3. Compile a list of requirement gaps that will need to be closed.

Info-Tech Insight

Be careful about engaging your QSA for your gap analysis. Using the same assessor and auditor is not ideal.

Info-Tech Insight

The “Build a Security Compliance Program” blueprint can provide guidance and tools that will help you establish an effective compliance program.

Visit Build a Security Compliance Program

Outcomes of this step

  • A list of gaps that need to be closed

4. Remediate gaps

Prioritize, plan, and execute tasks and initiatives that will close gaps

Activities

  1. Develop a Plan of Actions and Milestones to remediate each identified gap.
    1. Decide whether you will follow a defined or customized approach.
    2. Perform a targeted risk analysis for all customized requirements and any defined requirement that allows for flexibility in its frequency.
  2. Prioritize your Plan of Actions based on the following factors: risk, effort, and timeline.
  3. Document your Prioritized Plan of Actions and Milestones.
  4. Execute plans.

Info-Tech Insight

If a strategy for a gap remediation is to follow a customized approach, don’t forget to document the risk assessment for that requirement!

Info-Tech Insight

Go for the “low hanging fruit” for quick wins. Prioritize remediations that can happen very quickly with little to no effort or cost.

Outcomes of this step

  • A prioritized Plan of Actions and Milestones

5. Confirm remediation

Check your remediations to ensure they are effective.

Activities

  1. Confirm the documented scope
    1. If there were changes to the scope of the cardholder data environment, the scope documentation must be updated to reflect changes.
  2. Revisit the Self-Assessment Questionnaire or documented results of your gap analysis (see Step 3).
  3. Re-evaluate the gaps.
  4. Compile a list of requirement gaps that still need to be closed and carry results back to Step 4.

Info-Tech Insight

The scope documentation must be updated anytime there are major changes to the CDE.

Info-Tech Insight

The new PCI DSS will require additional cost and effort; however, it will also improve the security posture of an organization.

Outcomes of this step

  • A completed SAQ.
  • Updated scoping documentation, in the event remediations generated changes to the CDE.

Related Info-Tech Research

The image contains a screenshot of the Build a Security Compliance Program.

Build a Security Compliance Program

This project will guide you through the steps to establishing an effective Security Compliance Program capable of addressing complex requirements of any compliance framework.

The image contains a screenshot of the Build an Information Security Strategy.

Build an Information Security Strategy

This project will guide you through the steps to develop and implement an effective Information Security Strategy.

Bibliography

Contributor:

  • SEAN D. GOODWIN, GSE
  • Manager – DenSecure by Wolf & Company, P.C.

    Wolf & Company, P.C

Sources:

“At a Glance: PCI DSS v4.0.” PCI Security Standards Council, LLC, March 2022. Accessed 6 Sep. 2022.
“Payment Card Industry Data Security Standard Requirements and Testing Procedures Version 4.0” PCI Security Standards Council, LLC, March 2022. Accessed 13 Sep. 2022
“Summary of Changes from PCI DSS Version 3.2.1 to 4.0.” PCI Security Standards Council, LLC, March 2022. Accessed 6 Sep. 2022.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

8.0/10
Overall Impact

$2,000
Average $ Saved

1
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Authors

Bob Wilson

Petar Hristov

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019