PCI DSS 4.0: What is New and How it Affects You Q and A

Here are some questions participants asked in our webinar, “PCI DSS 4.0: What Is New And How It Affects You.”

Question 1:

I manage a very small trade association. All we do is take credit card payments for dues payments and meeting registration fees. Is this something I need to worry about and take action on, or is this something that my credit card service provider does? What about my web hosting service? Thank you.

• Gary: Good question. You can’t ignore PCI if you take credit cards. However, depending on how you take them, PCI may mean more or less. You are subject to PCI DSS 3.2.1 now. If volume is low, and depending on your credit card flows, there will be an SAQ for you. (Not 4.0 yet…soon). If you have trouble doing your own scoping, you can work with a company like SecurityMetrics to help out.
  

Question 2:

Is there such a thing as doing a "hybrid" with some customized approach controls, and the rest as "traditional"? Or, is it all or nothing. Either a company does a Customized approach, or they don't?

• Matt: You can indeed mix approaches in a single ROC with some requirements being handled by the defined approach, some custom. But remember, using a customized approach adds so much complexity to the process you may want to weigh the cost and effort. The customized approach could work well for large mature organizations.
  

Question 3:

If we are currently working to get our company up to compliance with the standards for PCI DSS 3.2.1, do you recommend we focus on meeting those standards for now and focus on 4.0 in 2023 or skip 3.2.1 and start working towards 4.0 instead?

• Gary/Matt: That is not an easy answer. It may depend on the layout of your systems, how close you are to security compliance, and how soon you have to validate compliance (if soon, stick to 3.2.1). But if you are brand new and have some time, I would advise just going to 4.0. Remember that you can work on the future dated requirements (some harder) over 3 years. If you would fall under an SAQ for compliance validation, you’ll have to wait for a bit still to see what those look like.
  

Question 4

Will SecurityMetrics provide a risk assessment template form or process?

• Gary: Good question. Risk assessments will be a more heavy lift. As mentioned, our process is based on NIST 800-30. We currently don’t have a “template” per se but we may look into that. I’m not sure it will be incorporated into our SMB customer portal, but there’s still lots of time, so stay tuned.
  

Question 5:

I wanted to understand the use case of cloud components.

• Gary: Hmmm, this is not a lot of info and I can interpret this in lots of ways. If you are saying can you get PCI compliant using parts of your systems, networks, and applications hosted in the cloud, I can confidently say yes for both in-play versions of PCI DSS. Now, if you are asking about a specific technology, that is something that is best handled on a one-on-one basis by learning more about a specific question. We routinely work with customers using many types of cloud services and system components in the cloud. PCI DSS 4.0 is trying to address the cloud better and clearer. Call a QSA for consulting help if needed.

Question 6:

Any recommendation on where is a good place to start to learn (documentation, playbook, etc) more about doing "formal risk assessments," as you mentioned?

• MATT: Download NIST 800-30, OCTAVE, CIS RAM standards and read them. There are lots of great articles on the web about implementing a formal risk assessment. Web searches are your friend. We do have a recent PodCast on this topic that did a high-level look at that.

Question 7:

Considering Sensitive Authentication DATA (SAD), one vendor requested us to store SAD and in their terms and conditions explicitly requires the user to accept all liability for the vendor’s storage of the CVV. Is that PCI DSS 4.0 compliant?

• Matt: No, that is not PCI compliant now or later if I understand your question. Sometimes people ask about storing SAD for recurring transactions. It’s still not OK.

See also: SecurityMetrics PCI Guide

Question 8:

Could you elaborate on Disk encryption for non-removable storage for storage solutions that hold databases with CHD?

• Gary: It’s not going to be allowed anymore (effective March 31, 2025), for nonremovable storage devices. . So, if it’s a hard drive with a database, you need to move to a solution for direct data encryption, for example, column-level encryption of the data.
  

Question 9:

Are Mobile apps going to be in scope for PCI requirements?

• Gary: This is a question that has been asked many times in the past and will continue to be looked at. As the world moves to more mobile platforms there are for sure going to be more card flow pathways through mobile devices. The quick answer that is still valid, even moving to PCI DSS 4.0, is that if the mobile app is running on the device itself (not a redirect), is “merchant facing”, and being used to take credit card numbers from a whole bunch of different customers, then the mobile app would be in scope for PCI DSS requirements and in most cases needs to be running on a dedicated mobile device (not a personal phone or tablet). If the app is “customer-facing” (i.e - running on a personally owned phone or tablet) then the app really is only dealing with that customer's credit card number and therefore not in scope for PCI DSS requirements. The PCI council has developed and will continue to develop standards that may become applicable to more mobile device situations (standards such as SPoC, CPoC, etc). Again, work with a PCI professional like a QSA or SSF assessor for more details.
  

Question 10:

Could you recommend your 5 most important steps to get ready for PCI DSS 4.0?

1. Read. Get familiar with bigger changes and start formulating your company’s plans.
2. Engage with a QSA to help with your questions or planning.
3. The risk assessment process is a big component of PCI 4.0 to understand better and establish a plan for. This may be the biggest thing you can do now to get ready for 4.0.
4. If you want to move to 4.0, you can begin on your own, or with a QSA, but realize that 4.0 audits cannot be officially conducted until after June 2022.
5. Don’t wait until the last minute to start, even though there is still plenty of time.
   

Question 11:

Were there no new requirements regarding VoIP?

• We did not notice any at first reading. You still have to protect it if you control it. See the council's FAQ and info supplement on VoIP. They are still valid.
  

Question 12:

What is being done to simplify the PCI process for small business merchants?

• Gary: The PCI council is really not the entity that is concerned with simplifying the SMB compliance processes. For sure they want people to be able to use the standard and validate their compliance (hence the SAQ’s) but they will not work on making that process any simpler than they have. Merchant banks often use a “portal provider” for their merchants to validate PCI compliance through. Work with your merchant bank or call one of the portal providers for information. SecurityMetrics offers a portal for use by small merchants, we hope it simplifies their PCI compliance efforts.
  

Question 13:

Do backups need to be encrypted on the fly? or can they be simply encrypted at rest?

• This could be a complex question, it depends on the system that is being used. Yes, your data needs to be encrypted. You could do either as long as, in the end, the data is protected by encryption.
  

Question 14:

ROC prep work between our QSA and our company seems to always be very cumbersome because we are using Word and PDF essentially. Was it ever discussed during the RFI as to whether the Council would ever be willing to provide the requirements, and other documents in a more manageable database-like format other than PDFs, so they can be imported into GRC control technology?

• The PCI Council won't be doing that in my opinion. They do have a spreadsheet for the Prioritized Approach for 3.2.1 (and I expect they will create one for 4.0 as well) that contains summaries of all the requirements so that could be a place to start. But you are right, if you want the requirements in a database or a portal you have to do it yourself. QSA companies have done this and many companies have done it as well. Find a QSA with a nice customer-facing audit portal, like we have.
  

Question 15:

How are server-less related applications going to be affected in regards to monitoring systems? Logs and such are movable, but actual systems like AV scanners are not possible in those types of cloud options.

• This is a thing now, not necessarily a 4.0 thing coming up. There were no specific statements in 4.0 about it as far as I can tell. Work with a QSA or consultant to come up with a good plan.
  

Question 16:

Were there any changes to requirements around pen testing?

• Not big ones.