Rather than worrying about the new PCI requirements, you can prepare for PCI DSS 4.0 by focusing on your current PCI DSS compliance efforts and choosing to think of 4.0 as a timely addition that will provide more defenses against developing attack methods.
Get Started with PCI ComplianceStart Here
The payments community has been waiting a long time to see what the next version of PCI DSS will be like. This week, the PCI Security Standards Council released the newest version of PCI DSS 4.0.
I think many of you have been worried that the standard will change a lot and that all your previous compliance efforts will not be enough anymore. Let's talk about it. I have seen some articles and blogs published on the web over the past few days and it feels like many are trying to spread a bit of fear by mentioning drastic changes coming in PCI DSS 4.0. I guess that is one way of getting people motivated to make security changes, but I would rather think of it in another way.
I have been involved with PCI DSS since the beginning--about 17 years ago--and yes, there have been changes to the standard over the years and compliance has gotten harder….you're welcome! Data security has not gotten easier. The standard has been evolving since the beginning and will continue to evolve to protect payment data. So, rather than painting a doom and gloom picture of things being added to the standard, I choose to think of it as a timely addition that will provide more defenses against developing attack methods.
Remember, for most organizations who have been PCI DSS compliant in the past, any changes in 4.0 will represent a delta to the existing efforts you are already doing. It's not going to start you over from scratch. The other thing to remember is that additions included in PCI DSS 4.0 are “future dated” with plenty of time to learn, plan, and implement controls. Published schedules from the PCI Council have put full compliance to these new requirements clear out to 2025, so now is not the time to be worried. Focus on your continuing PCI DSS compliance efforts and things will be OK. The changes in 4.0 are good. Even though some will take some work, the end result will be worth it.
What can you do now to prepare for PCI DSS 4.0?
My biggest recommendation is to not procrastinate your transition to PCI DSS 4.0 until the last second. You are being given plenty of time to make the required changes, so start early learning and planning. Remember, if you still need more help, there are plenty of skilled QSA companies out there that can provide you with guidance. Feel free to reach out to us early. We are all in this together. Just breathe... it's going to be OK.
Gary Glover has been conducting PCI DSS assessments for over 17 years and is the VP of Assessments at SecurityMetrics, Inc. See securitymetrics.com and never have a false sense of security.