.png?width=189&height=505&name=Vector%20(2).png)
.png?width=265&height=582&name=Vector%20(3).png)
.png?width=286&height=582&name=Vector%20(7).png)
Copy linkHow SureCloud Empowers Organizations in Transitioning to PCI DSS Version 4 Compliance
By SureCloud’s Principal Security Consultant James Cullen and Senior Consultant Peter Lane
Published on 12nd July 2023
It’s time for your organization to take action and transition to PCI DSS v4.0 Compliance. The Payment Card Industry Data Security Standard (PCI DSS) has recently been updated to version 4.0, introducing significant changes to the standard. Organizations can now choose to be evaluated against the previous version, 3.2.1, or migrate to the new 4.0 version.
How long have I got left?
PCI DSS v4.0, released in March 2022, made significant changes to PCI DSS, helping organizations meet the evolving needs of the payment security sector. There is a greater focus on security as a continuous process and increased flexibility in how organizations meet the requirements.
While PCI DSS v3.2.1 remains valid until 31 March 2024, it is highly recommended that organizations begin their journey towards PCI DSS v4.0 as soon as possible.
This newer version, released in March 2022, introduces a continuous security process and provides increased flexibility in meeting the requirements.
Source: PCI Security Standards Council
The importance of the transition period
The transition period has proven vital for organizations, allowing them to fully understand the new and updated requirements before implementing any necessary changes.
At SureCloud, we recognize the importance of this period and have been actively assisting clients in navigating the transition.
How can SureCloud help you?
To illustrate how SureCloud can help organizations during this shift, we present two case studies showcasing effective preparation strategies.
Case Study 1: National Service Provider in The Energy Sector
In this case study, a national service provider in the energy sector engaged SureCloud to assist in completing their Self-Assessment Questionnaire. During the engagement, SureCloud consultants provided insights into the upcoming PCI DSS requirements for the next year and detected that whilst they operated as a service provider, their environment resulted in several requirements of the standard deemed ‘Not Applicable’, which is excellent news for an organization. However, with the requirements that were still ‘Applicable’ and the introduction of PCI DSS v4.0, the SureCloud experts identified that the client would likely see an increase in requirements and obligations. To address this issue, SureCloud provided options and identified and recommended a solution to use a hosted payment page, which would reduce their scope and obligated requirements.
This would likely incur a cost to the organization in the short term, but it would result in long-term benefits such as:
- Reduce the efforts required to meet the standards
- Reduce the costs of consultancy services due to less time required for assessments
- Increase security
- Protecting the customers from fraud
- Identity theft, and more…
Additionally, the evolution in methods an organization might use to comply presented an opportunity. The client’s Chief Information Security Officer (CISO) had grown frustrated with the limited methods in which they may employ penetration methods. The previous standard 3.2.1, only allowed official penetration tests and restricted the ability to employ separate varieties of similar tools and alternatives such as Bug Bounty programs.
On the other hand, the introduction of the Customized Approach in version 4.0 creates the opportunity for an organization with a mature and robust security posture to meet the intent of a requirement in an appropriate way that suits their business best. Whilst this introduces and places great importance on separate annual activities, e.g., a Targeted Risk Analysis (TRA) relating to the control implementation, it also creates greater flexibility. To understand how to customize your approach to PCI DSS version 4.0 to fit your company requirements best, check out PCI DSS v4.0: The Customized Approach, where SureCloud dives into this topic.
Case Study 2: Global Sports and Entertainment Organization
In another case study, the CISO of a global sports and entertainment organization sought help from SureCloud to manage their requirements within SureCloud’s GRC platform. The organization followed a 12-months program to meet a whole host of PCI DSS requirements previously thought were in-scope for their organization. Parallel to this, SureCloud consultants provided a scope validation and gap assessment. Due to some of the work they had performed, it was discovered that they had indeed de-scoped a huge amount of their environment by introducing methods like the case study above is investigating. Having done the ‘hard work’, the implementation of the rest of the controls came quite easily to them. Once they successfully undertook their first annual PCI assessment, it was then suggested that they look at version 4 promptly and not delay the implementation of any new controls. One of SureCloud’s experts provided a workshop which involved several stakeholders from key departments.
During the workshop, it was discussed the following:
- An overview of the new PCI DSS Version 4
- The current position of where they are today in terms of control compliance
- What would be the key differences, and what additional controls are applied to their scope
Following this workshop, a roadmap to compliance was created for the organization to follow and implement.
One of the objectives of PCI DSS version 4 is to promote continuous compliance rather than just a mad panic getting all the controls up to date before the auditor comes around once a year and then forget about it for another 12 months.
Watch our on-demand webinar
Learn how to embed PCI DSS 4.0 into your organization’s security compliance program and how to leverage technology to reduce your compliance burden, here.
To help with that, SureCloud consultants are providing three ‘check-in’ workshops throughout the year, as listed below:
- Provide guidance on how to implement the new controls within your organization
- Discuss any scope changes and check how the implementation is coming along
- Act as a pre-assessment, ensuring your organization have everything in place prior to the annual assessment, but this time with the knowledge that you are in the best possible position entering into the annual validation window.
.png){kind=avatar}
_%20Adopt%20a%20New%20Approach%20to%20Risk%20Management%20for%20Your%20Organization.png)