Vector
Vector

Choose your topics

Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Compliance Management, Cyber Security

PCI DSS v4.0 – What do we know so far? (Spring 2020)

PCI DSS v4.0 – What do we know so far? (Spring 2020)
Written by

Craig Moores

Published on

20 Mar 2020

PCI DSS v4.0 – What do we know so far? (Spring 2020)

 
 

PCI 4.0 won’t be about for another year

PCI 4.0, the latest data security standard for credit cards won’t be around until 2021 and further to our last update, not a great deal of information has been coming out of the PCI Security Standards Council (SSC) regarding PCI DSS v4.0 – until the most recent all assessor webinar.

Indications are that v4.0 of the DSS (Data Security Standard) won’t be out in the wild for at least another 12 months. With a further request for change (RFC) expected later this year; following incorporation of feedback to the working draft of the DSS following the first RFC during late 2019.

Feedback directed mainly at the DSS itself

The PCI SSC is expected to remain largely tight-lipped on the feedback to be incorporated; however, they did share some statistics around the feedback received from the first RFC:

  • There was over 3000 comments on the DSS draft, provided by a little over 150 organisations.
  • Unsurprisingly, the majority of the feedback was directed at the DSS itself rather than the two supporting documents issued as part of the RFC (these focused on information relating to proposed customised validations).
  • Most feedback was provided by the US and Europe regions.
  • Again, unsurprising but most of the feedback related to areas of the DSS with more significant changes to requirements including cryptography, access controls and governance.

Don’t make business changes until the final PCI 4.0 release

The next steps from the SSC are really to review and consider all of the feedback, and prepare a summary to those organisations who provided comments. From there, the SSC will likely issue a further RFC later in 2020 to provide QSA, ASV and participating organisations a further opportunity to add any comments before considering a public draft.

There is likely to be a period of transition to the new DSS, which will provide organisations with plenty of time to prepare for any necessary changes. Due to the timelines indicated, the PCI SSC stressed the importance for organisations to wait for the final release of PCI DSS v4.0 before making any changes to business processes in response to the proposed changes to the Standard. At present, they are exactly that… proposed changes.

 

What can organisations be doing now?

As in previous blogs, my first piece of advice was for organisations to watch out for initial releases of the new version of the DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider.

As such, organisations should ensure that the scope of their cardholder data environment (CDE) is accurate; this is the foundation for obtaining and maintaining PCI compliance. Remember – over time, business objectives change, and it can be easy to omit systems and services from the scope of PCI compliance. Whilst we’re still a little way from any new versions of the DSS, these can provide a great opportunity to review the scope of the CDE. Ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.

Finally, businesses should proactively update their compliance programmes with a focus on embedding security into the operations of an organisation – PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE so its important to keep an eye on information coming out of the SSC.

Moving forwards…

As new information is sent out by the SSC we’ll be letting you know as much as we can so please stay subscribed to keep up to date. Fill in the pop up form in the left hand corner to not miss an alert!

In the meantime – during this unique uncertain time

The PCI SSC Guidance for Remote Assessments and the Coronavirus

In light of the evolving global position with regards to the Coronavirus (COVID-19), the PCI SSC has published guidance for QSA Companies, PCI Participating Organisations, Merchants and Service Providers regarding its position on conducting PCI assessments remotely. As a SureCloud blog reader with an interest in PCI, I wanted to provide you with a link to the article and provide assurance that SureCloud has reviewed its assessment approach in line with this guidance to allow it to continue delivering PCI consultancy and assessment services during this period of uncertainty.

If you have any questions or would like to discuss further, please feel free to email me directly craig.moores@surecloud.com

About Craig

Craig is responsible for SureCloud’s Risk Advisory Practice including engagement scoping, consultancy delivery and client relationships. Craig has experience in leading and delivering complex cyber security solutions aligned to strategic business objectives. Craig has broad cyber security experience including a strong technical, software development and project management background, with particular strengths in the areas of information risk management, PCI DSS, strategic planning and business auditing.

About SureCloud

SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.