Further to our last update, not a great deal of information has been coming out of the PCI SSC regarding PCI DSS v4.0 – until the most recent all assessor webinar.
Unfortunately, there still isn’t a great deal of information for us to share; however, indications are that v4.0 of the DSS won’t be out in the wild for at least another 12 months. With a further request for change (RFC) expected later this year; following incorporation of feedback to the working draft of the DSS following the first RFC during late 2019.
The PCI SSC is expected to remain largely tight-lipped on the feedback to be incorporated; however, they did share some statistics around the feedback received from the first RFC:
The next steps from the SSC are really to review and consider all of the feedback, and prepare a summary to those organisations who provided comments. From there, the SSC will likely issue a further RFC later in 2020 to provide QSA, ASV and participating organisations a further opportunity to add any comments before considering a public draft.
There is likely to be a period of transition to the new DSS, which will provide organisations with plenty of time to prepare for any necessary changes. Due to the timelines indicated, the PCI SSC stressed the importance for organisations to wait for the final release of PCI DSS v4.0 before making any changes to business processes in response to the proposed changes to the Standard. At present, they are exactly that… proposed changes.
As in previous blogs, my first piece of advice was for organisations to watch out for initial releases of the new version of the DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider.
As such, organisations should ensure that the scope of their cardholder data environment (CDE) is accurate; this is the foundation for obtaining and maintaining PCI compliance. Remember – over time, business objectives change, and it can be easy to omit systems and services from the scope of PCI compliance. Whilst we’re still a little way from any new versions of the DSS, these can provide a great opportunity to review the scope of the CDE. Ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.
Finally, businesses should proactively update their compliance programmes with a focus on embedding security into the operations of an organisation – PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE so its important to keep an eye on information coming out of the SSC.
As new information is sent out by the SSC we’ll be letting you know as much as we can so please stay subscribed to keep up to date. Fill in the pop up form in the left hand corner to not miss an alert!
The PCI SSC Guidance for Remote Assessments and the Coronavirus
In light of the evolving global position with regards to the Coronavirus (COVID-19), the PCI SSC has published guidance for QSA Companies, PCI Participating Organisations, Merchants and Service Providers regarding its position on conducting PCI assessments remotely. As a SureCloud blog reader with an interest in PCI, I wanted to provide you with a link to the article and provide assurance that SureCloud has reviewed its assessment approach in line with this guidance to allow it to continue delivering PCI consultancy and assessment services during this period of uncertainty.
If you have any questions or would like to discuss further, please feel free to email me directly email@example.com
Craig is responsible for SureCloud’s Risk Advisory Practice including engagement scoping, consultancy delivery and client relationships. Craig has experience in leading and delivering complex cyber security solutions aligned to strategic business objectives. Craig has broad cyber security experience including a strong technical, software development and project management background, with particular strengths in the areas of information risk management, PCI DSS, strategic planning and business auditing.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.
SureCloud has now been approved as a Qualified Security Assessor (QSA) Company by the Payment Card Industry (PCI) Security Standard Council (SSC).