Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
April 5, 2022
PCI DSS version 4.0, originally conceived in 2019 and having processed through two unprecedented Requests for Comment (RFCs), is finally being released in March 2022. Many companies may be unsure about when to migrate to the new version. Even though it’s available, does your company need to validate under version 4.0 now, or are you still allowed to use version 3.2.1?
Historically, the PCI Security Standards Council (SSC) used a three-year lifecycle between versions. This allowed industry changes and feedback from council membership to be vetted and then integrated into each major release. The SSC also conducted interim updates (for example, from version 3.2 to 3.2.1) to address critical changes in the industry. Given the recent business adoption of technologies such as cloud and serverless computing, PCI DSS 4.0 has been developed to allow the standard and its requirements to evolve with current technology trends.
With each new version introduced, the SSC kept the previous version valid for 18 months prior to retirement. With version 4.0’s introduction, the existing version 3.2.1 will be valid, but is scheduled to sunset on March 31, 2024. Until that date, either PCI DSS version 3.2.1 or 4.0 can be used for assessments. With a two-year gap between release and mandatory assessment with 4.0, when does your company need to be ready? There’s plenty of time, right?
With the release of version 4.0, the standard has expanded to include new requirements for evolving technologies, with many existing requirements being updated, reworded or consolidated. Overall, the standard is adopting a new focus on strengthening security and maintaining compliance as an ongoing process. While many enterprises have adequate security controls in place to meet PCI DSS version 3.2.1, v4.0 may alter control requirements. Additional capital or operational expenditures may be required; CTOs and CISOs will need to forecast their budgets, address any additional overhead to cover these expenditures and begin planning for adoption in 2022.
Some enterprises may have sufficient risk and cybersecurity program maturity to be early 4.0 adopters. These organizations will have a robust security approach and incorporate PCI DSS controls into their technology initiatives, management and operations teams and risk and incident response (IR) programs. This maturity would allow these businesses to quickly adjust their environments to meet version 4.0.
Other enterprises manage PCI DSS controls sufficiently, but may lack the budget or personnel to quickly modify the environment to version 4.0. Budgeting, overhead, new technologies and process changes take sufficient planning and time. The need to fully understand these business challenges is the reason for the 18-month extension of the previous version. Businesses can carefully plan and incorporate the new PCI DSS requirements with minimal impact to production operations.
The first step is to obtain a copy of the PCI DSS 4.0 standard, along with the PCI DSS v4.0 Summary of Changes. The summary maps the differences between version 3.2.1 and 4.0, and covers changes to the structure or format, clarifications, guidance, evolving requirements and new requirements. New requirements are labeled for easy identification and are described in detail within the PCI DSS 4.0 standard document. This allows executive management, information security and product teams to begin analyzing how the new requirements will impact their environment. If a qualified security assessor (QSA) is used for annual PCI assessments, reach out to them for explanation of the changes in PCI DSS version 4.0 and the impacts to current credit card handling operations.
Planning challenges include not only the budgetary requirements for new technologies and their implementation, but also focus on updated control standards, policies and procedures. The focus should also include adequate staffing, skillsets and training to address these additional challenges. These should be included in any budgetary forecasts. Internal security teams should examine and test existing security solutions, measuring them against the version 4.0 requirements and identifying any potential gaps. These teams should also consider the new version 4.0 requirements for any new planned technology initiatives, such as platform migration to the cloud or expanding use of encryption for handling cardholder data.
Early planning should illustrate the cybersecurity strengths and maturity and will provide a roadmap for version 4.0 adoption. From there, we can gauge on early adoption or eventual migration prior to March 2024.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
PCI DSS Compliance Services
We provide a comprehensive suite of Payment Card Industry Data Security Standard services that help you plan, build and run your compliance program.
What is PCI and PCI DSS -The Payment Card Industry Data Security Standard?
PCI compliance, usually refers to the PCI Data Security Standard (DSS) which is an information security standard for organizations that handle branded credit cards from the major card companies.
PCI Executive Workshop
Our PCI Executive Workshop addresses payment card industry standards, applicable PCI obligations, business processes and data handling.
Let us know what you need, and we will have an Optiv professional contact you shortly.