If the idea of getting ready for PCI DSS v4.0 is stressing you out, you don't want to miss this webinar.
If the idea of getting ready for PCI DSS v4.0 is stressing you out, you don't want to miss this webinar.
SecurityMetrics VP of Assessments, Gary Glover, and SecurityMetrics Principal Security Analyst, Michael Simpson, will discuss:
This webinar was given on July 21, 2023.
Well, welcome everybody to our broadcast today. We hope you'll get a little bit out of this discussion between myself and one of our skilled QSAs here at Security Metrics.
So we're gonna be talking a little bit about PCI DSS four o and, kinda what the latest is on the transition, to that standard, how people are preparing, what's helped, what's not helped, what kind of things are are working, how they're being successful, as they move to validation of compliance.
For those of you who don't know or for everybody who knows, my name is Gary Glover, and I'm the VP of assessments here at Security Metrics. And I am pleased to have with me today mister Michael Simpson, one of our team leads and a principal security analyst here at Security Metrics.
And interestingly, he is the guy who has done almost all the four o audits for Security Metrics so far. So he is the most skilled one of the most skilled people on the planet at this point in doing PCI four o assessments.
We'll talk about kinda how many we think are happening out there, just a little bit later, and so then you'll even know how much more, important Mike's numbers are there.
So I think we both have a few topics, Mike, that we wanna kinda cover today and discuss. And, you know, I'm sort of excited to to get into this topic. I know it's something that people are really worried about and wondering about. I hope that we'll be able to say a few things that will help people along the way.
And all as always, feel free to to forward questions, to us through whatever means are made messes made available through the through the webinar, and we'll we'll take care of some of those questions. We'll do some of them at the end of this, webinar, and then, others probably can work out how to get those answers to you later. Or just keep watching our content because we usually answer lots of questions. So the first thing I really wanna talk about, I think, is how how the four o adoption is really going out there.
And, and I think I the main thing I want everybody out there to be thinking about is how important it is to probably not put it off. Here's some of the things we've heard on the grapevine from other QSAs kind of out there, about the amount of four o assessments that are going on. As I mentioned, we've done, five or so of these. And, and when I was with a group of QSAs, last couple of months ago, that really was the same number pretty much every company is doing.
So, you know, when we're doing a whole lot every month to just have kind of five since since when was it, Mike, that it came out? Was it April of twenty twenty two?
April of twenty twenty two, I think, is what what the PCI standard actually kind of introduced and said, here's the kickoff of four o.
So that's over eighteen months about. Right?
Probably get pretty close to that. And, and, you know, here here we are. Haven't really we've kinda done a handful. And most of the other QSAs are saying the same thing. We've done a handful of these assessments. So so far in the industry, the adoption rate is just a little bit lower, I think, than than what they were expecting.
I don't know that that says that there's something wrong with the standard. I think everybody just kinda waiting. I don't know if you have any thoughts on that or what kind of your observations have been as you talked with people.
Yeah. I I mean, I think part of it is client driven, and part of it might be QSA driven. So unlike other standard changes in the past with a four o standard, the QSA has to go through specific four o training and pass that before they can even perform a a PCI version four assessment. So it may be that some QSAs are not ready yet to handle a four o assessment.
And then there's, I'm sure, some companies that are hesitant to adopt the new standard because they know they're compliant with the old standard, and they don't wanna rock the boat until they have to. So so I think it's probably a mix of both.
I think and that's exactly right. And I I think there's this this unwarranted fear of change.
And, you know, let's just sort of wait around and see what happens before we really try to jump in. And I and I think that's in in in my mind, kind of a worrisome trend. And and it was actually mentioned by a number of other QSAs at this meeting that, some of their clients I don't know if we've had anybody do this, but some of their clients are saying, hey. I wanna get two assessments in in twenty twenty three even if I have to rush one at the very end so that I don't have to do anything clear until next fall of twenty twenty four because, you know, I I will have changed my my date.
I I like I said, I am not sure that's really the right way to handle this transition, and, I think people are kinda worried about it in in an unnecessary unnecessarily. Why do you think people are worried? Why do you think they shouldn't worry, Mike?
I mean, I think probably why they're worrying anything that's new sometimes is is difficult to wanna jump on to. You know, they if they know exactly what they have to do to be compliant to three two one, it's it's more comfortable, more safe to kinda just follow along that trend.
The why they shouldn't worry, in in my opinion, I've done several of these assessments now. Most of the new PCI version four requirements, they have until twenty twenty five to get those in place. So so even if they did a PCI version four assessment today, and they didn't have all of these new requirements in place, you know, though those future dated requirements are considered best practice.
So so if you don't have every four zero requirement in place and and locked down in your environment, it's not a reason to hesitate. There are a few things, especially some documentation stuff, and we can get to that, That will need to be put in place on day one when you do an assessment. And for some of the self assessment questionnaires, if they've taken an existing requirement, like in the case of the, ASV scans for the SAQA questionnaire.
Those have to be in place on day one when you do that require or that assessment. So so there are some cases where you do need to be prepared for a four zero four zero assessment.
But really a majority of the heavy lifting we have until twenty twenty five. So for most organizations, they can probably move to four zero.
If they were compliant with three two one, they've got a, you know, they're they're starting out in a good space and moving that to four o compliance shouldn't be that big of a hurdle for most organizations.
And I think that's a super important point for everybody to kind of chill out a little bit and just it you know, ninety or more of the three two one requirements are about the same in Ford Auto. Right? You're not gonna really notice a lot of change. There are some rearranging of things, but, they may have raised the bar in a few areas, but it it's really not something to be, put off by.
So our advice as QSA is is to, hey. Jump in the pool. We're gonna help you, and, you can do it. You can you'll be it'll be fine.
And you we may give some more, get some more feelings from you on your experience about that transition as we go on.
If we were to say, you know, there there's still somebody who may be on the fence just going, well, you know, I I my three two one one is coming up right now, and I should be okay. And and, you know, I just wanna do that. What are some things that that we kind of, are asking people or thinking that they ought to do along with that three two one assessment this year that would help them out?
Yeah. I think and and this, you know, depending on who their QSA is, it it's always good to reach out to the QSA and see if if I am doing another three two one assessment.
Can I tack on to that a little bit of time where we can do, like, a little mini four auto prep, gap assessment? Where let's just take a look at those four auto requirements that are new and see where we are right now and what type of documentation we would need to hand over to the QSA to show that we're compliant with those, new requirements. So that that's probably what I recommend. If someone still wants to do a three two one assessment today, or anytime before March of of twenty twenty four, you know, take a little bit of extra time with your QSA and then just do a high level overview of four o, the new requirements and how they affect your PCI environment.
Because that way there's gonna be some things that are going to need to be in place on day one. You know, like the documented scoping exercise. Hopefully you've been doing notes in the past, but in four o, it's a little more formalized. You'll need to have documentation you can show to your QSA.
So if you spend some time with your QSA and just kind of figure out what are those things I need to have on day one when I do my four zero audit next year, it'll put you in a great spot.
Right. I think that is just awesome advice. And and it doesn't affect your compliance, right, to go through that with with a QSA.
But being ready for that, as soon as possible and really kind of understanding what would be something you would have to deal with in twenty twenty four during your assessment. Super important. Like I said, it may take a little bit more time, but I think very helpful in the long run. Now at some point, I'm sure QSA is all around the country and the world will will will probably say, hey. You know, we can't get done by March of twenty twenty four, March thirty first. So there will be a time probably when people will start saying, yeah, you have to move to four o, and it will feel like it's before the four o deadline because we have to have time to actually do the assessment, write up the report, and get it in to the council.
So I'm thinking, boy, if somebody tries to to do it much past January or or even in January, that's gonna be a real, It'd be a tight fit.
Yeah. A real risk Yeah. I think to to make sure that that gets done. Because once the date goes by, then you do have to switch everything in if you you weren't preparing for that.
So And one thing that I've told some of my clients for this year, if if you're going through an assessment sometime this year, you think you might be ready for four o, but you're just not sure, ask your QSA, you know, can I can I do a four o assessment?
And if we need to, can we fall back to three two one?
Right. So one more kinda transition thing that that has been a little disturbing to me that that we've heard is, and we we deal with a lot of small merchants as well here at Security Metrics, and I think some of these transitions even are more nerve wracking for the smaller organizations. They don't have, IT department to fall back on, etcetera, etcetera.
And so they're kind of wondering whether the council will really enforce that final, date for transition and, you know, because there has been a time in the past where because of TLS changes or whatever, they did back off on on their requirement for moving forward.
But, I was at the global executive assessor roundtable meeting in June, and, that discussion came up as to, you know, what kind of the feeling was. We all kind of looked and and watched the few council people in the room, and there was a resounding no from the council. So there will be no so don't be hoping for a, a delay or a, you know, putting this transition date off. It will happen March thirty first twenty twenty four. That really is the end of three two one, and March thirty first twenty twenty five really will be the date for future requirements. So sorry.
Let's get going. Right? I think it's really kind of the message there.
So another thing that that that we have noticed here at Security Metrics, because we do deal we deal with both you know, Mike and I do a lot of large, entities. Right? We're doing assessments at at kind of the enterprise level. Some of those entities are doing SAQA's that that Mike works a lot of universities and things that are doing that.
I think as I have been participating on the small merchant task force and other things, we get a lot of discussions from some of the acquirers. Boy, what are we gonna do about our SAQA merchants? What do they have to worry about? What really is the difference?
That's the group that they're most worried about. So I guess, you know, for those of you who aren't worried about SAQ, a and the transition to four o, then go get some coffee or a a drink right now and and come back in just a second. But, I think from from my feelings, there's a lot of people that are worried about that. So I wanted to talk about a little bit the details on the difference between SAQ SAQA for three two one and the differences now that are are are here in four o.
As a quick summary, the old SAQA had thirteen requirements, and in four o, there are twenty nine requirements. Those are just me counting up kind of the the requirement numbers. There may feel like there's a few more questions in there because some of those have multiple bullets you have to to produce an answer for. But twenty nine requirements, which is, you know, a little more than double the the amount that were in SAQA before.
So, you know, people are thinking, oh my gosh. What have they done? They've created all these new requirements. Well, most of them have long been part of PCI DSS.
And if you read at the very top of the SAQA, it says that you're aware of and follow all of the other applicable PCI DSS requirements. You're just being asked to validate your compliance to these in SAQA. So hopefully, it won't be a big surprise.
I'd like to just quickly just whip down a few of these, that are different this time in four o. So so, an SAQA merchant used to start, answering questions in section nine, and now they really started in section two, starting to do a few things. So making sure that you have vendor defaults set on set correctly in any web server that you're using to display, your website and and host the iframe perhaps that's going to the the ecommerce site that's actually doing the payment page.
So vendor defaults, whether you're changing them, you need to change them, delete them, etcetera. That's just a process that should be done normally. I don't think people need to worry about that one. There's some policy and process that exists for protecting, stored card card data in the non electronic form.
I mean, that's always been something that we talk to people about when we do an s s q any anyway anyway. Right? I mean, if you got paper process or if you're getting stuff in the mail or whatever, then how do you deal with those printed copies of, credit card information? So they're asking that instead of just to to not even be mentioned in the requirements of four o to be to be added in there.
Retention of that paper, disposal of it, and some of the things that have been added is, identifying and ranking potential vulnerabilities and sources to track this. So it's not an ASV scan. And you have a web server or maybe you're contracting with somebody for a web server that hosts your ecommerce page for SAQA, and this one applies to that where you have to say, well, now I need to really understand what vulnerabilities there might be for that web server. And they're just general vulnerabilities, and you have to subscribe to a source. And and either you do it as the merchant or you have to have your make sure your service does it, for you. So those are some things that are different.
Again, just for the web server software or the web server itself, you have to have a process to deal with those discovered vulnerabilities, like, you know, making things go within thirty days, patching highs, vulnerabilities, things like that.
One of the ones that's a little bigger that is totally new, in SAQA is this detailed list of scripts that are used or included on a payment page.
You know, the payment page in this sense isn't I think this is a confusing thing, and maybe you have some comments here, Mike. But I think when the council says the word payment page, everybody often immediately goes to, well, that's the page where I type in the credit card number. It's not my it's definitely not my my iframe page. Right?
Yeah.
Yeah. And this has been a common problem with SAQA's where SAQA's people that host a server, an ecommerce server that redirects out to a a third party payment gateway to collect the data, a lot of times they're like, hey. I don't store process or transmit data. I don't have any systems in scope for PCI.
But the council is very clear in the SAQA. And this this became, they put a little more detail when they went to version three point two point one. The SAQA changed a little bit then to make it clear that this is the the server that's in scope is the e commerce server that hosts either that redirect functionality out to your third party payment gateway, or if you're using an iframe from that third party.
And the payment page that we're looking at here for this requirement as far as tracking these these third party scripts on the payment page, it would be that page that controls that redirect functionality or the iframe where where credit card data will be collected.
And I think that's the key. So so when you hear the word payment page, don't all of a sudden say that's not me. The intent of SAQA is, yes. That is you. You are the one who are redirecting to the payment page. You have the iframe.
And then, you know, be real be real detailed about reading kind of the applicability, on these requirements for SAQA.
Some of them really do just kind of apply to if you have an iframe, right, if you're using an iframe methodology. So the script thing is you know, a lot of people just don't know you know, there's so many includes that just happen.
Your developers go, well, look. I want this tracking here, and I want this here, and I want this from this site. And I have a good friend that's got this really cool feature that makes our buttons look really neat if I include this JavaScript from them, or we're writing fancy JavaScripts on our own and putting it on this page that may not feel like the payment page, but it's the page that links to the payment page. The actual it's hosted page or the the iframe. So you need to know all those scripts that are running, and that's gonna be a new thing for everybody. So that one's gonna be a little difficult.
You may need to work with your provider on that. And if they can't answer that question, you may have to to think about providers. Right? I mean, that's gonna be some tough stuff.
So the earlier you figure out some of this stuff, the better. So that's a new one. That's in the section six, but it's a twenty twenty five requirement. So it's not something you have to do immediately.
It's just something you need to be aware of and start working on now rather than in December of twenty twenty four.
And just a little clarification on that one. For for both requirements, six four three and eleven six one, when when the SAQA was first the four o version was published, it it didn't clarify that those only apply to iframes. But later on December of last year, they published an update. So both six four three and eleven six one do only apply if you're using an iframe to capture.
Exactly. And I think that's a good one. You know? So if you have just a click to buy and it brings up to a takes you to a totally different website, you don't have to be doing that.
So I, you know, I wonder if people will move to that direction move that direction.
It's not quite as I I think a lot of them will.
Quite as neat neat looking because it looks like you did leave your site maybe to go somewhere else if you look at the little URL bar at the top. But, the problems that we're seeing in this area really do happen with iframes. This is not just like, oh, council is just saying, what what else could we think of that will irritate our ecommerce merchants? Oh, I know. Let's have them track all their scripts.
No. That's not the case. We're actually seeing these, compromises all the time now. This is very common, for I iframe skimming of data. And, from the research that we've done, I saw a recent number, of the websites that our forensics team is working on, and over twenty five percent of them are already compromised.
The ones that we started kind of just saying, hey. Let us look at your site, and let's see what what it's got on there. Twenty five percent of them are already toast. Right? So that's that's a big number.
So it's definitely real. This is something that the council has made for per on purpose. This is not just how do we how do we irritate people. So let's see. That's enough on that one. That's a twenty twenty five requirement.
User accounts for administration of the web server, they need to be unique and not shared. That's kinda like, duh.
Right? You don't want to you wanna be able to trace who's working on your web server. That one, I don't think, will be hard for people. It's probably something they're already doing. So it's so they're adding some requirements that you just have to show that you really are doing it. You're validating those things. Same with administrator password controls.
Temporary passwords are unique and have to be changed at login. Those that's something that people have done for feels like a hundred years. Right? So it's it's just something you just do.
One change that is different is that the minimum password length used to be seven. Now it's gonna be twelve. Now that is a twenty twenty five requirement, but that's something that people can start working on if if that's gonna be a problem.
And unless you're using a multi factor authentication, these administration passwords have to be changed every ninety days or you have to use this dynamic password, research and and analysis technology. So either use MF multi factor authentication or just change them every ninety days, will work. If you have paper records, they'll you know, there's a bunch of physical storage requirements. They're there. I think they've always been in in three two one.
Like Mike said, there's a new one in eleven eleven six one, these external in eleven two, I think is what this one is, or three.
External vulnerability scans are now required for us at QA merchants. Is that something that was do you think is gonna be a tough one, Mike? I don't know if you've had any discussions with anybody who who's worried about this.
Yeah. So I think the thing that's gonna be the most difficult on the external vulnerability scan is because this was an existing PCI requirement that has just been recently added to the SAQA.
We don't have any, you know, this is not future dated. We don't have till twenty twenty five. We don't have till twenty twenty four. If you do a PCI version four SAQA assessment, you'll have to have ASV scans.
So if you haven't been doing ASV scans, start doing them now. Because your QSA is going to want to see that you're doing these at least on a quarterly basis. If, if you have any major change on the system, you're scanning. If you're failing the scan, you're correcting it and rescanning.
So, so there's some documentation that you'll have to have in place to do a a successful four point o SAQA assessment.
Right. Right. And that's, you know, it may be a little different for people who are actually hosting their own redirect web server or if you are paying for that whole service from another third party, they need to provide you with evidence that they are doing it. Right?
You know, you you'll have to interact sometimes with your vendors a little bit more, making sure that you really know what they're doing, that they can handle it. And as Mike said, the quicker you can do these start with these VA scans. Are they expensive? No.
Not really. Right? It's pretty cheap.
External ASV scans are are pretty cost effective. So start now. I really think that's a great way to to sort of get into evaluating any service providers that you may have that if you're not if you're not having to handle it yourself and having to work with a third party, how well are they gonna do? Start them on the easy stuff, which is the the vulnerability scan, and then, you know, you'll get sort of a feeling on what happens with the big one, which is the script scanning. Because there needs to be a a tamper detection mechanism. That's the eleven six one, which is the big one that's being added to, this is, I think, is the hardest one for s a q a coming up. And and maybe even for for ecommerce in general, it's not a a simple little thing.
You have to deploy change or tamper detection mechanisms on the web server where those payment page iframe redirects occur. And that's a twenty twenty five, but we need to be able to detect this e skimming and and behaviors of data leaving websites. So, again, this is real stuff. It's it's important to do.
It's not super simple, the the script scanning part, but let's start with SAQA vulnerability assessments, scanning right away as soon as you can because then you'll start getting used to what will will need to happen if you have service provider. I think that's probably the best advice that we could give to small SAQA merchants is don't just sweep this one under. You you really gotta kinda work on that one. So, tracking of your service provider agreements, that's really from three two one the same.
Have to have a documented incident response plan. I don't remember if that was part of three two one or not.
But That was the one difference when it comes to third parties in version four for the SAQA, in in version three two one.
And this is actually not in the requirement list, but in the eligibility to complete criteria.
The eligibility to complete in three two one, it said that, you know, all capture storage processing of cardholder data is outsourced to PCI compliant third party providers.
In PCI version four, similar, but it specifically states you've received an attestation of compliance from any of these third party service providers that show that they're PCI compliant.
So I have I've worked with a lot of SAQA merchants in the past that relied on, like, the Visa Global Registry to verify that their third party, provider is PCI compliant.
But according to that eligibility list, you actually need to get a copy of their AOC. And I think the reason for that is the those lists, like the Visa Global Registry, tells us that something was assessed at that provider, and something is PCI compliant. But it doesn't tell us what. Where the AOC would specifically tell us what was included in their assessment and found to be compliant.
And that that frequently happens to QSAs, in in every company. They get an a an AOC and attestation of compliance for someone that it's presented to them as this covers it. And when you read in there, it's like, no. That doesn't actually cover what you bought.
So it's kind of a caveat emptor. You gotta make sure that you really do understand what you're getting and what they're signing up for, what they've been compliant for. A lot of people can say, we're PCI compliant, but is it the service that you bought from them? So, be an informed buyer and an informed worker with your service provider.
You don't have to be mean to them, but just say, hey. Look. Give us the data. We wanna see this, and and we need it to be able to complete even just the simplest thing as an SAQA is next time.
So And some providers have been a pain.
You know, they're they're they're not good at giving that information out. But there is a new PCI requirement in version four for service providers that requires them to provide that documentation.
So you can cite that as no. That is your responsibility. And, you know, I we've even had some people say, no. No. No. That's private information. It's like, well, block out any names and emails on there if you want, but I need the data that's contained farther down, which is what services you provide.
So, small merchants, you can push back or even large merchants push back or large service you know, push back on these people and say, no. I need this data from you.
Because the QSA will push you for it either way. Right? We need to have it.
So that's good. So that I mean, that kind of sums up our our SAQA, conversation. Welcome back. Those people who are not really interested in SAQA, but but, just those strategies, get that scanning going, the ASV scanning solidly in place soon.
Start learning about the script scanning stuff, and remember that your iframe redirect, the page that you do that on is worthy of being script scanned. It's not something you can push off onto somebody else. And, know the fully hosted order page where you just click a button and go somewhere else, that's not what this applies to as Mike pointed out. One other quick topic before we move on to just straight, you know, how have the four o assessments gone and what are the points that we can provide to you on how to get through that.
Every time I go to one of these gatherings of of the QSA companies on the globe, they they say, let's talk about councils. Let's talk about remote assessments. How how are things going? And, you know, obviously, that started with the COVID pandemic, and and a lot of remote assessments happened. And and are people more reluctant to kinda go back to in person?
And where does it make sense to continue to do on-site? I mean, and where does it make sense to continue to do remote assessments?
The council is gonna be working on a a lot more detailed guidance document coming out, very soon here. But in short, it's pretty much, in some cases, remote makes sense. If everything is in cloud, then why do you need to be on-site somewhere? If all of your services and your whole company is virtual, gathering in a conference room in a central city doesn't really add that much.
Other than it's really great to meet people in person. And, you know, the video stuff, you know, you guys are getting to see us a little bit, but you don't really know us. Right? Because we're not there.
So the other rule of thumb is if there's physical things that you actually can see and need to inspect, then that's when an on-site assessment will be needed.
So if you have something physical to look at, it should be on-site.
So the other thing that I think you mentioned, Mike, is that because of the remote this kinda remote stuff, they've added a new section in four o that lets you document more fully kind of what was remote and what wasn't as part of an assessment. And so there is an increased documentation, for a QSA in that area of of, remote. So you can't just say to your QSA, I wanna be remote because I wanna be. You have to have a reason because we have to state the reason as as to why it's re why it had to be.
You know?
Yeah. And and there is on the council's website, on the document library, they do have a four or five page, document that kind of helps you to determine whether a remote assessment's appropriate.
It gives you some suggestions for how to how to make that determination.
And and you can use that document, work with your QSA to decide, you know, if a fully remote assessment is viable. Or most assessments I'm assuming in the future are probably going to be, some type of a hybrid where, you know, the QSA is probably going to ask you for documentation before they get there and do some of the documentation review remotely. And then they'll come on-site to review physical evidence and and other testing procedures. So so work with your QSA. They'll be able to help you figure out whether it's which type of assessment to perform.
Well, I don't really see a huge change here going forward other than I think for truly, distributed companies.
Right?
The council is expecting us as QSAs to be on-site.
So, the pandemic is over. Let's we're we're moving forward, and and I think everybody's kind of acknowledging that. And I and I think over this last year, we have seen a whole lot more people saying, yeah, let's get back on-site. It is more enjoyable.
You get to meet more people. You get to see and you get to see some of the expression out of the corner of your eye and go, oh, wait. What do you mean by that? Right?
So, it's really a good thing.
Okay. So with all of that, how have four o assessments been going, and what are some of the things that we've learned by doing a few? So as I said, Mike has finished a number of them now. So, Mike, why don't you kinda go over with us some of the things that you've learned in in that, new task?
Yeah. Yeah. So I've I've done I think I'm just finishing up my fifth four o assessment. So I've I've done a few of them. I tried to work with my clients that I felt were in a good, you know, preparation state to be able to successfully complete a four o assessment.
With my clients, I've let them know if if something happened and we needed to, we could always roll back to three two one. But so far, every four o assessment I've done with them, we've been able to complete. There's one we're still working on, some remediation. But the things that I've learned with four o, it it does require more documentation.
It requires more documentation from the the merchant or the client side. It's gonna require the QSA to keep more documentation as well. So there there's some requirements that maybe the requirement itself hasn't changed. But the QSA is now told to gather documentation that maybe in the past they didn't have to gather.
To to, you know, evidence that shows that certain settings were set correctly or certain procedures are in place. So there is there's more documentation that QSA will need to gather. And they'll need to do a better job of keeping track of where that documentation is. From the the client side, some of the documentations required that wasn't really required in version three.
One of them I talked a little bit about the scoping exercise.
In the executive summary of three two one, and even before three two one, the you know, it always talked about performing a scope review to identify what is in scope for your assessment. This has now been moved into a a specific requirement in version four. So you're going to need to be able to show your QSA, you know, what your scoping process is and show them the documentation that was created as part of that scoping guide.
There there's a lot of we'll you'll also see and this they started to do in three two one, but it's very formalized in version four. But for every single PCI requirement, all of the twelve major requirements, you need to identify and document what individual or group is responsible for managing each of those requirements. And what policies and procedures help to guide them in their efforts.
So a lot of documentation policy wise.
I think when we had a discussion with a large really, it was a previous webinar we did with British Telecom. They he said, Simon Turner said that was the hardest thing almost for them to do Yeah. Get together that because it's sometimes difficult in larger organizations to get people to say, yeah. I'll sign up for that. Right?
Yeah. Well and from a you know, the the benefits of it, though, it's really hard to get in place, and it might, for some organizations, be hard to maintain.
But I can't tell you how many times I've come to do an assessment.
And we're we're reviewing vulnerability scanning or or we're reviewing, you know, log monitoring.
And the company will say, oh, yeah. The person that was in charge of that left the company a few months ago, and no one's been doing it. We didn't realize it was his responsibility or her responsibility.
So having that documented should hopefully help to prevent some of those issues where a key individual leads your organization and all of a sudden you're no longer PCI compliant.
In fact, as I remember, isn't one of the the scoping guidelines in four o that you have to kinda kick off a rescope if somebody key in the organization moves. So, like, if there is if somebody leaves a company or if your organizational structure changes, the standard now says, hey. Kick off, a rescoping process because what what you just did to your management structure or whatever may affect the process and the controls that are happening. So don't get caught there. So, you know, that's a good Yeah. I think that's a good process.
Yeah. Significant changes to the environment isn't just always technology. If there's a significant change in your people or process, it also requires a rescoping.
Yeah. You don't want to tell the the QSA that the dog ate your homework. Sorry. Right? Yeah. We just don't have it. Right?
Yeah. You'll also notice that some of the other, like, inventories, PCI version three required you to have, you know, an in a system inventory of the hardware and software in your environment.
In PCI version four, it's it's more detailed. They they wanna know with your hardware and software inventory, you know, what's the end of life date for each of these require for each of these, you know, either hardware or software that's in your environment. And what plans do you have in place to, make sure that that end of life date doesn't cause you to become non compliant or or not secure. Some of some of these requirements are future dated like the the end of life, you know, having a plan for all end of life software or hardware. That's a twenty twenty five requirement.
There's also new inventories. You know, having an inventory of all of your, encryption keys and certificates, that's a new one. Having an inventory of all of your application or, system accounts and permissions assigned to those, that's a new requirement that'll be due on twenty twenty five. So there there's a lot more documentation that you'll have to have put together for for a PCI version four, especially once we get to twenty twenty five as compared to three two one.
So everybody loves to write. So start writing.
Yeah. Yes. Start right now. Get it in place.
The other big one and and this one is kind of more just a shift. So in in three two one, we we needed to do a risk assessment, and it had to be done annually.
But it was, it's fairly general.
It didn't say what the risk assessment should entail or Even the scope, right?
It's just the whole company or what?
You know? Yeah.
Right. So it said, you know, some risk assessment needed to be performed.
PCI version four, there's several there's a handful of areas where it wants a targeted risk assessment. So this is any anytime where the the count or the standard asks you to do something on a periodic basis.
There needs to be a risk assessment where you've looked at the risks in your environment. And based on those risks, you've decided how often that should be performed. Some of those are future dated. Actually, most of those are future dated to twenty twenty five. But some of them, like, requirement nine dot five, I believe, for when it comes to your terminal security, that that, targeted risk assessment is not a future dated requirement. So, you know, you'll have to show your QSA if you have payment terminals. You know, this is how often we're inspecting our terminals, and this is the risk assessment that we perform to show that that's an appropriate time frame.
Right. And, yeah, I think there's there's, like, nine or or different there's a, you know, a number of different things you've gotta do. I can't remember what exact number is. It seems like it's around nine or ten of these kinda mini risk assessments you ought to do for all of these topics that that may be creating Yeah. Some sort of curiosity. Yeah.
And then the other one that I've noticed and and this one, again, we have until twenty twenty five. But I think for some organizations, it will be you know, it might be a bit of a challenge to get in place depending on what you're using currently for your internal scanning. But PCI version four in twenty twenty five, you'll have to do authenticated scans, for your quarterly internal scan. So if if your solution doesn't already allow for or doesn't have the capabilities for authenticated scanning, it's something to start looking at now.
Right. And, you know, I think do some research on what that term really means.
Talk with your QSA about that. It is really kind of potentially storing passwords to log in to get a different perspective from the in internal logging into certain applications instead of just hitting the login page. It it means different things, and, that's that's gonna be a tough one, I think. Right? We'll we'll see. It depends again, like, on the software that you're using and whether you've been doing it already.
And then probably the last thing I wouldn't I would mention about doing a floral assessment is it's gonna take longer.
Expect, you know, not only for your QSA to go through a four zero assessment with you, but it'll take the QSA longer to write that up. So take take the time or or maybe give yourself a little more time to go through your assessment.
So so, Mike, how long is it is it taking to write these rocks? Is it is it kind of a a little bit different different? Is it better? You know? How do you have to make sure the QSA, you're dealing with the QSA on that that area?
Yes. So so it does take significantly more time. I I found for me, it probably is, like, one and a half times more time it takes for me to write a four o report than it does a a three two one. I don't know if that was the intent from the council.
It does take more time. So because it feels like for the QSA, you're writing up stuff in the executive summary and throughout the body of the rock. It just seems like you're duplicating a lot of work.
So that's one thing just to be aware of from a customer endpoint. Maybe give yourself a little more time when you go through your first four o assessment. Make sure that you you and your QSA have plenty of time to get this reviewed. Right.
So if you normally start in July or well, I should say because now we're already in July. If you normally start in September, start in in August. Right? Start a little earlier than and giving yourself a little bit more time. It'll help you and your QSA as you work through some of these transitions. So be thinking about that even into next year, when you start with your four o assessments. Speaking about the ROC, the report on compliance and the and the format of that, I don't know if if many of our audience know, but there was a time when there was a a version of the report on compliance that actually contained a column, in the the report that was in place with remediation.
And that column was kind of meant as a you know, we I was kind of in the community to help think about all that stuff. And how do we get around somebody who who really did their best at trying to get their quarterly VA scans going and something happened? Like, somebody left the company and they forgot to you know, whatever the reasons are, they didn't you know, they missed one of those. And, missing one of those scans, technically, in the write up of the of the report says, then you can't be compliant until four of them are in place.
And so that that was a frustrating thing. How do we get past that? And for and, it wasn't really available for CompSIA and Control. So it was a difficult kinda time.
They came up with this column saying, well, look. We'll let you get past that if you can show that the process is in place now. And it needed some remediation, but it's really in place and and here's the extra work that I did to show that it's in place.
That column, you know, could have been great for a few requirements.
Having applied across every single requirement, I think, was a little difficult.
So, the council got a lot of feedback from the industry, from QSAs, etcetera, and they decided to remove that column from the report itself. And to replace that, they have come up with this new form. I think it was released in June the end of June, June twenty eighth. You can look in some of the council's, research or the, press releases, etcetera.
There's this new form called INFI.
So I I forgot to look up at that.
The last one is needs Items noted for for improvement.
Items noted thanks, Mike. For items noted for improvement.
And so it does sound a little calmer. It's a little nicer.
And, it's really a document between the QSA and the entity being assessed. It's not something that, you know, gets thrown onto the AOC or anything like that. It's a it's a document. Now, it is a document that, you know, you know, if a QSA finds something that maybe wasn't right in place during the final validation, then there needed to be remediation to fix if there's a little change in the document or whatever that needed to happen.
You can add a little line in there saying this this needs to be improved. Or if a process could have been improved, you were compliant, but the process could be improved, maybe that's something that you would add in there. I think the council's intent with this form is it's a way to improve communication between the the assessed entity and their assessor and provide a way to get visibility to the corporation that's being assessed, for saying, hey. Look.
Here's some stuff that we had issues with this year and look. It's on next year's as well.
That indicates that there needs to be some more discussions maybe going on. How can we help you make this better?
So I think it's a positive thing. It's a good thing. It does have to be signed by an officer of the company that you're and the assessor to to make sure that people acknowledge this has been delivered.
But, I think we really think of it as a a communication, thing that allows us to get through maybe one of these, scan issues. Right? Maybe. And and I think those are the ones that it should be used for. They do suggest using it for three two one if you want to, but it mentions four o through throughout a lot of it. So it's a little a little difficult to do that, but it can be.
Many QSAs have used kind of a punch list or or some sort of a improvement list for next year for years, and so it's just kind of expanding that a little bit, making it a little bit more formal. So we'll kinda see how that goes and how that affects. That needs to be present for every single four o rock. Whether you had any things that needed improvement or not, it needs to be filled out and signed. Right? Which is another one of those interesting, requirements. So we'll see how that kinda works out.
And I think this kind of ties in with there's a PCI requirement that talks about having an executive charter so that the the executives have some communication with those that are responsible for compliance. This is one of those other ways that we're communicating that information to the executive team.
Right. And and it is a really great entity, you know, being assessed internal communication tool as well. Right? Not always just between QSA is a good point, Mike.
Okay. So, we're gonna do a quick wrap up, and then I think we've got some some questions have come in. We haven't seen them yet, so we'll just do our best at answering some of these off the fly here as we read them. But, some of the wrap up thoughts here, as you, you know, just going back over the whole thing, there are gonna be some, new tools required and processes needed for four o, whether that's kind of this risk assessment thing, some of the script scanning, that's gonna be going on, making sure that ASV applies into as a QA, some of those things are big.
So there's, you know, one thing that this there's a lot of script scanning stuff going on. I think a lot of vendors are coming up with solutions for eleven six one and six four three. Start learning about those, trying them out, testing them out. SecurityMetrics obviously has one. We call it shopping cart monitor. You can check on our website.
It is a little different than some of them. It's a monitoring system. It's nothing that you have to install into your website or your web page itself.
But it does let you know whether it's malicious scripts or or things that are doing things you don't expect, suspicious. So we'll try to identify those. Our forensics team, as I mentioned earlier, are finding a lot of ecommerce pages already infected. So this is a real deal.
This is not just something that somebody's making up work for you to do. Security metrics also has one of these things where you can kind of do a a test to put one foot in the water, see what it feels like, and that's called a shopping cart inspect. So that you can just do a quick characterization of your website, see what state it's in now without having to sign up for the full, monitoring, every seven days type of a thing. So there's lots of things out there that you can do to start getting ready for four o before you have to do it.
It won't count towards against your compliance, but now is the time to start searching out these tools, start testing them out, getting your developers used to it, getting your IT team used to seeing what the results of them are, looking at, what script you have and characterizing those scripts. So I think that's gonna be one of the bigger ones for for four o in twenty twenty five. So get get working on that one. Okay.
Well, thanks, Mike, for all your your knowledge and information there. We're we did receive some questions, during the webinar here that we'd like to just do our best at addressing.
So I'm gonna read them off. You give me your first cut, and I'll I'll kind of chime in if necessary.
K. Here's our first question.
When should I stop focusing stop let me stop focusing on complying with PCI three two one and start the process for PCI four dot o assessments?
Yeah. So that that's a good question, and and you really should never stop focusing on three two one. Because most of three two one, you know, those requirements are still part of the PCI version four. We're just gonna be adding some more to it.
So keep your three to one PCI compliance program. Look at what you need to add to become PCI compliant with four.
Oh, exactly. Don't throw away three to one. It's really four hours based ninety percent on you know, it's it's really mostly three two one. So Yeah.
A good preparation for four o is doing good in your three two one assessment. So you're doing alright. Everything's gonna be okay. Everybody stay calm.
It's gonna be okay.
Alright. Here's our next question. In what circumstances would you recommend the services of a QSA? For example, a SecurityMetrics QSA or from some of the company. Do you have to be a level one merchant to work with a QSA?
Yes. You you don't have to be any level to work with a QSA. There's some levels, like level one merchants, level one service providers.
In in some instances, level two merchants will need to have validation, their PCI assessment validated by a QSA.
But if you've got questions, reach out. You can have a QSA perform gap assessments. They can perform your full assessment. Or just provide consulting. If you if you wanna make sure your own internal compliance program is meeting the requirements.
Right.
You know, your QSAs love to talk and love to talk about the standard, so you're always welcome to ask questions. Some of the great places to get, some questions answered by QSAs is at the PCI community meetings, hosted by the PCI council.
A lot of all all a lot of QSAs are there, and they're they're, you know, sitting around the booth. We'd love to answer your questions.
That may be a good way to get started, but we all will do or can set up consulting or some sort of organist, some sort of stuff. It doesn't really mean that you have to then go and finish a rock. You can just ask the QSA questions.
Okay. If my company moves forward with PCI version four dot o, do the service providers that work with us also have to be four o compliant before I can be compliant? That's a really good question.
Yeah. That it is a good question. It's one that the council has gotten quite a bit, I'm assuming, because they have an FAQ specifically about that. It's article number twelve eighty two.
But the answer is no. If, if your third party service provider completed a three two one assessment prior to the three two one sunset date of March thirty first of twenty twenty four, and that is still valid. So it's within the year that their AOC is valid.
That that's really all you need. It the FAQ does recommend that you ask your acquirer if there's any other reporting requirements that they may have, for your third party service provider. But no. If they have a valid AOC and it's three two one, it doesn't mean that you cannot do a four o assessment.
Perfect. Excellent. Excellent answer.
Next question. Somebody said, do you have any recommendations pitching the increased compliance costs of version four dot o to my c level executives?
Yeah. I let me let me start on this one maybe.
And, I you know, Mike and I have both been in this business for a long time. I I've been here for about twenty years doing this. Mike, pretty close to that. And, one thing that we've noticed is is that compliance, doesn't just stay static, and that's because the bad guys don't either.
Right? We're we weren't seeing five or six, eight years ago, compromises of iframes the way we are now. So compliance gets harder, compliance costs go up, and it's in response to the environment. So sorry about that, but, it's something the c level executives need to understand.
Compliance costs don't go down over the years. They may get more the processes may get better and simpler for your people to accomplish, but, the actual cost of compliance may not go down, over time. So sorry. Yeah.
I guess that's the only thing I could say.
And from what I can see, my own personal experience, it does take the QSA longer to write up this report and to go through the assessment. And it's gonna take you longer internally to to validate your own compliance. So so, you know, just expect it because it takes more time for both you and for your QSA. It it most likely will cost a little bit more.
Yeah. And and, you know, as yeah. Let let's just leave it at that. That's pretty much the way it is. It's getting a little bit harder, takes a little bit longer. So, expect that, plan for it, plan to start a little earlier. I think it was what we said a little earlier was a was a great piece of advice.
Question. How much time will implementing PCI version four actually take?
And I think I'm gonna give the most excellent answer here, and that is it depends.
So, that's a real tough we we really don't know how much time it will take for you. It depends on your situation and what things you're doing, how well you're already working towards understanding four o.
So, if you have any questions, start with a gap analysis for the QSA, and then you'll you'll know a little bit more. Well, with that, Mike, I really wanna say thanks for hanging out with me today. I've learned some stuff about PCI DSS four o and how how it's being implemented and how it how, we are working towards getting people compliant to that new standard. If you need to get, to our to our listeners out there, if you'd like more information just on PCI DSS four o, in general, obviously, the council's website has a lot of documentation, a lot of things there.
The Security Metrics has a learning center where we've focused a lot of of documents, you know, four o webinars, all kinds of stuff, so you can go and and review some of that stuff we've done in the past. And as always, stay tuned.
We're gonna try to keep you as informed as possible on PCI four o and the transition. Thanks a lot. We'll see you.
.svg)
