Watch to learn what a PCI v4.0 audit looks like and how to prepare for a PCI v4.0 assessment.
Watch this webinar to learn how you can best prepare for a PCI v4.0 assessment and what a PCI DSS v4.0 audit experience looks like compared to a 3.2.1 audit.
In this webinar, Gary Glover (VP of Assessments) and Brian Cole (Enterprise Sales Manager) will discuss:
This webinar was given on January 26, 2024.
Hi. My name is Brian Cole, and I'm the I manage the enterprise sales team here at Security Metrics. I've been here for eight years. I'm joined today by Gary Glover. Gary is the VP of our assessments. How many years have you been here with Securitymetrics now, Gary?
Let's see. I think it's near twenty. I think, nineteen right now, so I'm in my twentieth year at SecurityMetrics doing cybersecurity stuff. So It's impressive.
Some of the certification that Gary holds are CISSP, QSA, and CISA.
So there's probably a few more acronyms we could add to that.
Today we'd like to discuss why people are choosing security metrics for for their PCI four point zero assessments.
We've done several at this point in time and would like to share what we've learned with with you all today. Please feel free to send any questions you have. We'll respond to those and can get back to you. Alright. So what does PCI four point o look like in general terms, Gary?
Well, you know, when you think about PCI DSS four o compared to three two one, there isn't really, a ton of changes. It's not like they've taken a, you know, a mixer and just decided to throw everything out and start over and and and change the ingredients. The ingredients really are the same. We still have twelve major areas of security focus.
It's gonna be very familiar to people. If you haven't looked at it already, we recommend that you really, dive into it and and read, especially, the changes document or something. But the going from three two one to four o, not that big of a deal, for twenty twenty four. Now in twenty twenty five, there's a bunch of future data requirements that are gonna come into effect that that are a little bit harder.
We can talk about that a little bit more as we go on. But, you know, it's not it's not a ton different. It's gonna seem familiar. People are gonna be okay.
Just have to be calm and move forward. Right? Yeah. So let's see if I remember out of there between three two one and four o, there's fifty three changes to fifty three main requirement additions.
And, eleven of those are for service providers, and thirteen of those are effective immediately.
And of those thirteen, twelve of them are essentially the same thing.
So and that's adding some documentation for each section. So it's some documentation needs that are twelve and then, you know, one other thing. So it's really it's nothing to be worried about. I think people are trying to think we need to really sneak in a three two one really fast here before the end before the the timer runs out. That's not necessary. Just go ahead, jump in. Four o water is fine.
Okay. And I you know, that's it's good you say that. I've heard that from some of our clients that they've gone through some of these initial four of those that it wasn't a huge change for them. But I'm curious.
What what do you feel the biggest reason or why did they do a a four point zero change if if it's not a a huge deviation from the previous Yeah.
So now, you know, when you think about the when you look at all of the future data requirements, there are quite a few things that are being added because of the, you know, the state of the world, the state of of the bad guys out there. There are some things that are changing, and new attack vectors are always present. I think they're always looking to improve and and move people forward a little bit with each release.
Changes typically in the releases in the past have been small going on. This one is a three two one to four, so it feels like a big one.
But it's really nothing to be intimidated by.
But, you know, they really changed the way in which the requirements were written. They're more objective based now. So they want people to understand, why am I doing this thing? Why do I need to do this requirement? Well, here's the objective. You need to protect this thing in this way or, you know, so so it's an easier way to interpret. So they've rewritten a bunch of the the words, hopefully, for the better in the most part.
And they've made changes again based on industry input, industry, requirements, just the way payments are changing over time, adding more stuff about cloud security where when we started this twenty years ago, there wasn't such a thing as clouds. They were just in the sky. Right? Yeah.
And, the reason why the council made these changes is reasonable. There's not just like, hey. Let's you know, some I think sometimes people worry that the council sits there and goes, how could we make mess people up this year? Let's add some more requirements.
That's not the deal. These really are important changes, and, we've been involved in in recommending some of these changes actually, too. And so it's been really good to see how how the standard is evolving.
Yeah. Makes sense with how fast technology is changing that they do updates every few years. Do you feel that, four dot o assessment requires a lot more work from the client's perspective?
You know, that's a really good question. I think that's the thing that people are most worried about is how much harder is it gonna be for me. And therefore, I don't like change, and I don't wanna move forward because what if it's harder?
Tell you the truth, especially in twenty twenty four this year, the hardest change is gonna be had by your QSA.
The reporting requirements are a lot more for us, and a lot harder. Plus, we're getting used to it, getting used to the changes in the new way, that they want us to document this. Every year, they kind of up the game on documentation.
And so, frankly, for you, if you kind of just say, I'm not gonna worry about the future date of things initially. Now I'm not gonna say don't worry about the future date of things this year because you've gotta figure out this year so you can be ready for next. But, the big changes are really gonna be on the QSA. We have to organize information a little bit differently. The information that clients provide us is gonna be about the same, the same kind of things that you did last year.
Like I mentioned earlier, there's there's a little bit more documentation that we often will provide a template for that you can can use if possible. But, documentation sometimes is really hard for people to do and they hate it. I hate writing too. Right? Everybody hates writing.
So that will be an addition.
Some of the SAQs have changed a little bit, especially if you're a an SAQA.
So that's gonna be, a new thing. That might be that's probably the the, group of people that will be affected most. And it's not what you and I typically deal with very much, as we're on kind of the more enterprise side. But as a QA merchants, we'll have two, one new thing to do for sure this year, the ASV scans, which is gonna be difficult for them.
Not really. They're not that expensive. You just have to get it going to set. You just have to jump in and do it. And but people, I think, are kind of worried about it. Don't worry. It's okay.
Yeah. Right? Sound good. We can easily help them out with it.
Yeah. So in summary, it's not gonna be a whole lot different for for you. Right? On the the oddity, it's not gonna be a whole lot different.
Good. Hopefully, that puts a few people mind at ease. Yeah. So, Gary, you mentioned there was thirteen requirements, effective immediately. Which of those which which thirteen requirements were you referring to?
Yeah. So let's talk about that so you can kinda be at ease. As I mentioned, there's some documentation that needs to happen at the beginning of each section.
Now they're requiring, this they the standard, I should say. The standard is requiring that people, document kind of the roles and responsibilities for each section. In other words, who's gonna be the one on the hook for making sure that these things are in place, and who do we talk to, or who who is kind of following up on this from from the comp corporate side, from the entity sides being audited.
So, you know, that's really not a new thing. It's there's gotta be somebody in charge of that. They're just now saying have a little document to to do that.
Makes sense.
The other thing that it has changed a little bit is the way that risk assessment is being done. In the past, risk assessments were done, kind of at a whole corporate level. You know, we kind of look we look for a report or some sort of meeting results or some sort of documentation evidence that they've looked at all their systems and done a risk assessment.
And the council has kinda turned the dial on that a little bit, and it's not necessarily making it harder. It's just changing the emphasis. I think people were really kinda confused about, well, how does my whole corporate risk analysis affect my card data environment if they do more than one thing? So now the council has said, alright.
Well, let's have targeted risk analysis specifically on things like how long, are your passwords good for. And, you know, then you can refer to NIST rules, guidelines, all those kinds of things. So you're doing the risk analysis and saying, well, I'm gonna kinda replace my encryption keys every x number of months or years, whatever. Right?
You know, quarters.
And here's the risk y. And if it's lower, we we do it more. If it's less, we do it longer. Right?
So in the past, it's sort of been implied that you have to do this annual scope reconfirmation and and and making sure that you really do know the scope of your card data environment. That was kind of in the introductory sections of the of the standard. Now that's been moved right down inside into I think it's section twelve. Don't I may be wrong there, but I think it's it's in one of the sections where now you have to show that you've done a documented scoping exercise.
And that may imply, hey. How do I know where the card data is? Sort of implies you've done some searching, making sure that you have a good feeling on whether you've got unencrypted card data around. And so people can use tools like the SecureDometrics PAND scan or card recon or other kinds of tools out there to make sure that that you really know where the card data is landing and if you've got any problems with unencrypted. So it's that's an example of the scope change that that they want to make sure is being documented formally. So when you think about it, it's just three things and mainly as documentation, that's being asked for and a little bit of process change. So, again, no worries.
No worries. Scoping scoping is critical on the sell side, so I'm glad that they're putting extra emphasis on making sure you're doing specific scoping analysis.
Yeah. Okay.
So, Gary, tell us, how do you interface with your customers, and how do you communicate with them throughout the course of the assessment?
So as far as is it different than three two one? Right?
I think in yes. That's the part.
In other words, people are kinda worried and wondering maybe, well, now that four o was out, how is that gonna change just the way I'm being audited? And and let me say to the audience, not a bit. There isn't really anything that changes there. You still interface with your assessor the same way.
We still have, you know, open communication. We still have a lot of, initial audit stuff that we do, getting people ready for this assessment. It's just the same. So So our process internally here on the audit team is gonna be just the same as it was for three two one as it is for four other than we have, you know, updated sets of questions and and things that we worry about and make sure that we're checking on.
And, you know, we're gonna cover gaps, a little differently and making sure that especially during this year from twenty twenty four to twenty twenty five, we will probably talk to people about, hey. Here's the future dated thing.
You know? Do you have anything in place, or what's your plan? Right? And and help them make sure that they're making that plan for next year so that they're not caught by surprise. So, again, it's mainly kind of helping us communicate to them a little bit better. So shouldn't be any change at all.
And I know one of the things that we highlight too is you're always encouraging your people to tell their clients to reach out to them at all times with any questions, shoot them an email, give them a call. We're easy to get ahold of.
Yeah.
And that's really, I think, one of the major things that sets us apart from a lot of our competitors.
For sure. And that has been my goal as the VP of the department to make sure that we get people on board that really can communicate.
And, and we have lots of levels that people can communicate through. There's always an audit coordinator that you can talk to.
And so people shouldn't be nervous about approaching four dot o. It's gonna be the same. We we wanna talk to you. We wanna help you. We wanna make sure that you this is a a thing thing that you can get through. And with the least amount of of, problems. Right?
So as a company, I know Securitymetrics has already completed multiple four dot o assessments. What have we learned so far, and how have those assessments been going?
Yeah. That's a good question.
We've done, you know, a handful. I was talking to a bunch of the other QSAs at a GEAR meeting recently, and and it's kind of the same. Not a whole lot of people. We haven't had everybody jump into the pool yet. I think they're waiting for twenty twenty four. Some some big entities have jumped into the pool of four o back last year.
But everybody everybody else is a little worried the water's too cold or too hot or whatever. I don't know. But, you know, as I've talked to the QSA, they say the experience has been fine. Again, there's a little bit more on on our side to do and correlate and and to keep track of just the way the documentation is being asked to be written.
So on our side, things were we're still working on optimizing our processes and and collecting the information the most efficient way. Mhmm. But, I haven't heard anybody yell or scream, and nobody's called me saying we want four o to go away. That's good. And please let us go back in time. So That's good. So far so good.
Positive experiences with all of our customers and QSAs.
So, again, don't worry. It's gonna be okay.
Yeah. It's interesting on the sell side. So we we're talking to clients all the time, potential clients.
Some of them are gung ho about four o and want to, wanna be one of the first people to go through it. Other ones are super nervous then of the changes. So I'm glad we're having this conversation.
Yeah. I think, you know, change is always difficult for for companies, for people, for me. Change is hard. Right?
And and I think that's just kind of human nature, and and we like to put up change until the last. And so that's what we're experiencing throughout the industry. So, you know, if you have waited and to and or trying to sneak one in at the very end here, you know, you're not alone, but we're also kinda saying you should have just jumped in. Yeah.
Right? But Not that big of a deal. It's not that big of a deal. So so, again, if you're worried about it, don't worry.
It's gonna be okay.
So, Gary, what would you ask your customers in order to be be best prepared for a four auto assessment? What could they be doing ahead of time before they maybe begin?
Yeah. That's a good that's a good topic to talk about. I think, you know, nobody really loves to to just sit down and read these exciting standards documents, but, unfortunately, that's probably gonna be something that you need to do at some point. Now would I start there? I don't know. There's plenty of information out there.
SecurityMetrics has has generated a lot of four point o kind of webinars and information and Multiple blog posts for sure.
Blog posts, papers, all kinds of things. So those may be easier to digest than just jumping right into the standard. Another document I think is really important is the changes document, and that can be downloaded from the PCI Council's webpage, where it basically shows here's three two one and here's four o, what things have changed. And and that'd be kind of a nice one and maybe even a comforting one to look at and see, oh, here's the changes that that have I've gotta, you know, think about it. And a lot of them are future dated. Right? And so, really, it's kind of jumping into the four o pool, reading about it, watching things, calling us up, asking questions.
If your if your assessment you know, maybe you just finished an assessment in December for three two one and you don't have to do something till December of next year, right, of of well, sorry, of this year, twenty twenty four, you may consider starting earlier.
Right? Maybe even halfway through your audit cycle, contact a QSA like SecurityMetrics and say, hey. We wanna do a a four o gap assessment, or we wanna really focus on these future data requirements, help us through those. I think that'd be a great a great way to start being prepared, being proactive.
So, really, it's being proactive, learn about it, and and start figuring out where you are, especially for those future data requirements, but as a plan. But for sure, be familiar so that so that you don't kinda come to your assessor and say, okay. I have nothing. I don't know anything.
Tell me about four o. And it's like, well, okay.
Yeah.
You know, we can do that, but it would have been better if you would have read something first.
We're always happy to take calls. Right? But is it the change control document? Change document? What did you mention?
It's the changes. So there's there's one of the documents you can download from the PCI Council's website, and I don't know. Maybe we can even put it on the links for our webinar or whatever.
The the changes between they just highlight the changes three two one to four o. Okay. So it's a nice summary dice to it. Start. Yeah.
So if if a company wants to do four dot o, do their service providers also have to already be four dot o compliant in order for them to be four dot o compliant?
Right. And that's an interesting question. During these transition times, it is sort of confusing as to exactly what is the right way to interpret some of these things. So let's say you have a service provider that was validated mid twenty twenty three on three two one, and your assessment is in the next month or so in twenty twenty four.
And yet it's occurring before their four dot o assessment or their their next assessment in July or midyear. Mhmm. So, that's okay. Right? So as long as they're still current, so if they have something current within twelve months, their AOC is current, then, yes, that can be referenced during your four o assessment even though that company may not have been four o audited. It's still just part of this transition time. So just making sure you know what those dates are on your on your service providers is gonna be an important task just to to to keep track of.
So three two one expires end of March twenty twenty four.
March March thirty first twenty twenty four. Okay. So in a couple months.
And and that means, we as QSAs cannot turn in an assessment past that date that was accomplished under the three two one standard.
So So there's still that grace period. If you've if you got a current AOC and, they'll so their next one will be in twenty twenty four. That's they'll do four dot o, but there's still three dot two dot one current. They're fine.
And That's right. Yeah. So in other words, if you're before March thirty first twenty twenty four, you can get everything done, which frankly, people doing, you know, assessments like with the QSA, that time has already passed.
But, I I suppose SAQA people or SAQ people might might not be able to make that that deadline. But, yeah. So it's not like twenty twenty four is when you have to be four o. It's March thirty first is when the transition occurs, and then three two one is no longer valid, from the council and from the card brands and and merchant bank perspectives.
K. Now I don't know and and, you know, I don't think that I can say or or exactly tell what a card brand specifically will do and what a merchant bank will do. They may extend it for somebody or whatever, but I don't think I would count on it. Right.
But I'm talking from a council's perspective. From the council's perspective, it's over March thirty first twenty twenty four.
So with with future changes coming up, when do we actually when do people actually need to have those future dated requirements in place? And what are a couple of those, maybe showstoppers or some of the more important changes that you'd recommend? Yeah.
We don't have time to go into all of the fifty three new requirement changes today, on this on this webinar.
But, just reminding you about the schedule. The schedule is March thirty first twenty twenty four for three two one being done, then those kind of thirteen things effective immediately.
The other ones, the leftovers are effective become effective March thirty first twenty twenty five.
So, you know, you got about a year right now to get ready for those. And, you know, many large organizations have been working on those things for a little while. I think smaller organizations are need this this year is key. Twenty twenty four is key to start getting ready.
So let's say you have an audit early in the year of this year. You know, maybe you really focus on just getting through that and then starting to make plans for for the future dated ones. But then, boy, the rest of twenty twenty four, even after your audit cycle, you need to be getting ready and understanding and having your team find solutions for some of these, up upcoming, security requirement changes that are gonna be effective in twenty twenty five. Because you can't be kept, you know, don't start working on it January twenty twenty five.
You're gonna be in trouble.
Some might require budget. Right?
Yeah. You have to have budgets. You have to be thinking about that. That's a good point.
So, you know, things like, authenticated internal scans, that's gonna be kind of a new thing for some people. And Yeah. What does that mean, and what does your current provider do, and can you support that? And, the if you do ecommerce, the the script scanning, you know, are there are are there extra scripts being found on your pages?
And and that's really an ongoing it has to be done every seven days. And so, again, there's some some something that needs to happen during twenty twenty four.
Many of the other the other changes are are kind of procedural or or, you know, twelve character passwords is twenty twenty five. Everybody's been used to seven or eight characters.
So that shouldn't be a big deal. You go change some software. But Right. You have to be ready for that.
You have to get your customers used to it. And if your customers hate changing passwords, you gotta kinda go through some of those those changes for long term. Now, administrative passwords, you have to been changing all along anyway, so it's not gonna be a big deal. So, this is a key year.
I think it's the only point I'd like to make is don't waste this year. This is a key year for you to really get ready, for those future dated ones. And if your audit is near the end of the year, in other words, you've just finished an audit and now you're gonna do one near the end of twenty twenty four, you gotta start working now on those future data ones so that you can be ready and and not caught by surprise for your next audit cycle because it just may not be worth, you know, waiting even more.
Yeah. So I I would say have a plan.
That way you can know if you have if you're gonna need budget and know what personnel are gonna be involved so you can hit the ground running when those future data requirements are now, When it's twenty twenty five, you know, the two And I think we'll probably do a webinar or podcast on some of those future data things. So watch for that For sure.
From SecurityMetrics.
So what what makes our team stand out, Gary? What what how do we why should you work with Securitymetrics?
Yeah. Well, so over the years, it's really kind of been, the CEO and I have talked about what we really wanted, the characteristics of our audit team to be. And, some of those were were really important. Otherwise, we'd like to have our auditors have a life as well and not always be traveling.
So we have a a decent workload or a reasonable workload that's expect expected of them so that they're not always traveling and always trying to work on something, all during different stages. Right? So we we kind of limit the the the velocity that they have to be running, number one. And number two, we really try to hire people that are really, a knowledgeable, lots of experience.
We have hundreds of years of experience, I think, when you look at all of the people on our team currently.
And we want them to be good communicators. Kind of part of our thing is, I like to think, is we're the guys you can get hold of, and we're the QSAs that are are easy to talk to. Not to say that there are other QSAs that that do that. Right?
We're not the only ones. But, we pride ourselves on having really good customer communications, and that's why that's why we have dedicated kind of audit coordinator staff. Each auditor has a a kind of a helper that will help him or her schedule, calls, visits, be somebody that that a customer can call and talk to right away. They're always in the office, always available even when a QSA is out on a job, out of the country, you know, in a different time zone.
And and you're thinking, I got this question. I really need to ask my QSA. And boy, it would be great if you get back to me really quick. And it's like, well, sometimes your QSA can't get back to you really quick Yeah.
Because they're a long ways away or deep into something else or or in a different time zone. And so it's nice to know that you can just call somebody in our office here in mountain time zone and find out what's going on and get some expectations and know that somebody's looking after your questions.
I love being able to tell people, like, look. We're not requiring our QSAs to pump out fifty to a hundred rocks a year, and that enables them to be responsive as you just said. Right? They're not they're not working on four projects at once. They have one or two going at a time. They'll be responsive when you call them. They'll know what you're talking about because they're only working on one or two projects.
Yeah. Or three or four. It sort of depends. Right? But, yeah, not not totally saturated with with everything.
So I appreciate you making time to come and chat with us today, Gary. I think it's I think it's good for customers and potential clients to hear four dot o isn't as scary as some people may have thought, and and we're happy to help them through this process.
Yeah.
And we really like our enterprise sales team. These guys know a lot and and don't think that you have to always speak to a QSA, but we're always here to answer your questions. And we we enjoy working together. I think we have a great team, and we look forward to being your partners in, your next PCI compliance event.
We'd like to thank everyone from joining us today. We've covered a lot of topics, a lot of good items here today. This webinar is being recorded. We will send out a copy of it. There's a lot of resources attached, so please, you know, look into those resources. We put a lot of time and effort into those, and give us a call. We're happy to help answer any questions you might have.
.svg)
