As with most deadlines, this one will be upon us quickly. It is important for your organization to regularly assess your compliance efforts and review upcoming changes to the DSS once they are released publicly.
However, even before the final updates for version 4.0 are released, there are still ways your organization can prepare. As with any compliance initiative, limiting scope (e.g., segmenting, not storing cardholder data) can reduce the burden of compliance. In addition, BAU controls can be burdensome if you do not have the right organizational alignment. A new version of the DSS represents the ideal time to revise payment processes to limit scope, realign your business roles and responsibilities, and reduce risk.
Another important step is to ensure you fully understand and document your payment processes. Lack of insight in this area has long been a hindrance to compliance for many organizations, as it is impossible to protect the cardholder data environment or justify appropriate intent and an outcomes based control set if you are unsure of its boundaries. Documenting data flows, network diagrams and processing activities serves as the foundation for compliance activities. In this way, preparing for version 4.0 is no different than preparing for any other version of the DSS.
Once version 4.0 is formally released, your organization can begin to benchmark against these new standards. If 2022 remains the expected date of compliance, 2021 will be the year to conduct readiness assessments and remediate gaps. A readiness assessment can help you identify the processes, technical controls, documentation and other security measures that will need to be adjusted to comply with version 4.0. That leaves 2020 as the ideal time to conduct working sessions on your organization’s PCI compliance philosophy and to draft intent and outcomes statements. Even if we do not have the final draft of version 4.0 until later this year, we do know that organizations will be required to document their risk-based decisions regarding payment processes, and that is something organizations should begin doing now.
Version 4.0 represents a significant shift in the way organizations can demonstrate compliance to the PCI DSS. Engaging RSM as your trusted advisor throughout this process can ease the transition and help your organization navigate these changes successfully while maximizing the value of your security compliance efforts in this and other areas.
1 See PCI DSS: Looking Ahead to Version 4.0 for more information.