Common Questions When Preparing to Transition to PCI DSS v4.0

What lessons have we learnt from early PCI DSS v4.0 transitions?

We find the organisations with the smoothest and easiest transitions are those that have mature, robust PCI DSS processes and policies which have been effectively implemented and monitored.  In these cases, introducing the new requirements becomes relatively simple as all you will need to do is determine how you will meet that requirement and build a new process to facilitate this.  If you have a strong understanding of how your existing processes work, you will find it easier to add to them in order to meet a new requirement, integrate new processes, or build a new process for the same team to manage, helping members of your organsiation get on board with the changes and mitigating the level of disruption your transition will cause.

We have also found having a small, static PCI DSS environment will help organisations achieve a successful and more straightforward transition. Reducing the size of your PCI DSS scope is something we will recommend in general as the smaller and more stable your environment is, the easier it will be to comply with the Standard.  A smaller environment will see less frequent changes, and therefore fewer opportunities for something to be forgotten and for areas of noncompliance to unexpectedly appear.

Finally, it’s important to have a means of securely sharing evidence, as there is now a greater emphasis on certifying organisations sharing evidence with their assessors.  Under previous versions of the Standard, QSAs would need to collect screenshots, samples etc. as evidence of your PCI DSS compliance, however the Payment Card Industry Security Standards Council (PCI SSC) now wants assessors to collect much more evidence than they used to.  For example, if your assessor states in the Report on Compliance (RoC) that they have viewed a process, they will now need to supply evidence that they have seen it, which you will need to provide.  As such, having the ability to quickly and securely share files and documents will be extremely valuable for increasing the efficiency of your assessment.

How will the changes to evidencing compliance in PCI DSS v4.0 impact your assessment planning and preparation?

Effective planning and preparation prior to your PCI DSS assessment is always essential, however this is especially true of v4.0 transition assessments due to the changes that have been made to the way evidence is collected for the RoC.  While RoCs to previous versions of the Standard were focused on the QSA providing narrative descriptions of assessments, for v4.0 RoCs QSAs will need to provide detailed descriptions of evidence which is then referenced to demonstrate how the certifying organisation has met each requirement.  For a detailed explanation of how evidencing compliance in PCI DSS assessments has changed, see our blog on What are the Key New Requirements with PCI DSS 4.0.

Because of these changes, planning from an evidence rather than an assessment perspective may make it easier for you to shift your assessment to the v4.0 approach.  In practice these changes may, for example, impact the way your assessor wants to interview individuals about specific processes.  Previously, QSAs would tend to be led by requirements in their approach to conducting interviews, i.e. starting with requirement 1, installing and maintaining firewalls, and speaking to the individual(s) responsible for managing firewalls, then moving to requirement 2, etc.  

Now, it makes more sense for your QSA to outline which systems, processes, policies etc. need to be discussed, and for your organisation to allocate personnel to each section.  When an individual or team has been allocated to multiple sections, each can be addressed within a single, longer session.  This will require you to plan, in advance of the assessment, who will be responsible for supplying each piece of evidence, and how sections can be grouped together to achieve maximum efficiency.

How long does it take to conduct a PCI DSS QSA assessment?

It’s difficult to provide a figure regarding a ‘typical’ assessment as there is a lot of variation in the amount of time assessments can take. 10-14 days should cover most assessments, however we conduct assessments that are completed in 3 days and some that take 3 months.

What are acceptable forms of multi-factor authentication (MFA) for PCI DSS v4.0?

While the use of MFA in some circumstances was a requirement in previous versions of the PCI DSS, in v4.0 the areas where its use is mandatory has been expanded.  To learn more about the changes to MFA requirements in PCI DSS v4.0, read our blog on What are the Key New Requirements with PCI DSS 4.0.

Essentially all forms of MFA are compliant with PCI DSS v4.0.  Token-based authenticator applications for mobiles, biometrics (fingerprints, facial recognition, iris scanners, etc.) and certificates, as well as anything the National Institute of Standards and Technology (NIST) or the UK Government recommend, are all valid forms of MFA.  However, SMS-based tokens are noncompliant due to the ease with which an SMS message can be intercepted and/or spoofed.

If you develop applications that interact with the cardholder data environment (CDE), do these applications need MFA to be compliant with PCI DSS v4.0?

In general, if the application is considered part of the CDE within the scope then any non-consumer users of that application would need to MFA to access it.  Also, if the application itself has accounts that it uses to access other CDE devices, often called 'system-to-system' accounts (the PCI DSS refers to these as service accounts), then while these service accounts don't need to MFA there are a large number of new requirements around the control and management of these service accounts.

Have the requirements around password length changed in PCI DSS v4.0?

Yes, the minimum password length has been increased from 7 to 12 characters.

If you outsource all payment processing to third parties, do you no longer have to comply with PCI DSS v4.0?

No, you will still need to comply.  If your organisation takes payments from any of the major card brands, your organisation will be contractually obligated by its bank to comply with the Standard.  If you outsource all of your payment processing, this will mean you are on Self-Assessment Questionnaire (SAQ) A and are responsible for making sure that your suppliers are fully compliant with the Standard. Ultimately, while you can outsource the knowledge and work required to comply with the PCI DSS, you cannot outsource your responsibility.

If your scope changes between assessments, (e.g., you start taking payments over the phone) will you need to recertify to the PCI DSS?

Technically, you do not recertify but are instead reassessed against the PCI DSS.  Compliance with the PCI DSS should be a continuous aspect of business-as-usual operations, and the assessment is simply a snapshot in time which demonstrates that this is the case, rather than an official certification sign off which has an expiry date.  As such, even if your scope changes drastically between assessments this should not invalidate your compliance, as you should always be compliant with the Standard.

However, scope changes, such as starting to take payments over the phone, may constitute a significant change.  There are a number of requirements which outline what you need to do following a significant change including penetration testing, vulnerability scanning, updating documentation, reassessing scope, etc.  During your next annual assessment, your assessor will look at everything you did to check you maintained compliance throughout that change.

Are there any tools available to help you comply with the new script integrity checking requirement in PCI DSS v4.0?

The new version of the Standard has introduced Requirement 6.4.3 which, among other things, dictates that certified organisations must check the integrity of scripts on their payment pages; for further information about Requirement 6.4.3, URM’s How to Meet Key New PCI DSS 4.0 Requirements blog provides in-depth guidance on the new requirement and how to meet it.

There are a variety of tools available on the internet which can assist you to meet this requirement, however we would strongly recommend you remain wary of marketing claims about what the product can do, as these aren’t always accurate.  For example, a product may claim to be able to ‘make you PCI DSS compliant’; unfortunately, this will never be true. While a product may make compliance easier, no tool, product or service will be able to make you compliant by itself.  If you do decide to utilise tools, ensure you have a comprehensive understanding of which requirement that tool will help you meet, and what you will need to do to use that tool in a way that helps facilitate compliance.