2. Speakers
2
Pramod Deshmane,
PCI QSA, P2PE QSA, CISA, CISM, CDPSE
Having worked for ControlCase for the past 13 years,
Pramod leads the US Retail, Technology, BPO and
Payments verticals, overseeing all US based
certifications.
Kishor Vaswani,
ControlCase Founder and
Advisory Board Member
Kishor founded ControlCase (an IT Security
and Compliance company) in 2004 and scaled
it through its expansion to more than 1,000
customers in 40 countries.
5. ControlCase Snapshot
5
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+
10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS
6. Solution
6
Certification and Continuous Compliance Services
“
I’ve worked on both sides of auditing. I
have not seen any other firm deliver
the same product and service with the
same value. No other firm provides that
continuous improvement and the level of
detail and responsiveness.
— Security and Compliance Manager,
Data Center
7. ISO27001/ 2 CMMC RPO SOC 1,2,3,&
Cybersecurity
HITRUST CSF
HIPAA PCI DSS GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
One Audit™
Assess Once. Comply to Many.
Certification Services
7
“
You have 27 seconds to make a first
impression. And after our initial meeting,
it became clear that they were more
interested in helping our business and
building a relationship, not just getting
the business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
10. Transition timeline for PCI DSS 4.0
10
• PCI DSS v3.2.1 is valid for
assessment until March 31, 2024,
upon which it will be retired.
• Until March 31, 2024, the
organizations can use either the
v3.2.1 or v4.0 standards for the
assessments.
• From April 1, 2024, only v4.0 will
be the active PCI DSS standard
that can be used for the
assessments.
• All the future-dated new
requirements will have additional
12 months (i.e., until March 31,
2025) before they become
effective.
Source – PCI SSC
12. Goals for PCI DSS v4.0
12
- Continue to meet the security needs of the payment
industry
- Security practices must evolve to continue to meet the
security needs of the payments industry as threats
change.
Example:
o Made new updates to multi-factor authentication (MFA)
requirements.
o Updated password requirements in-line with current
industry best practices.
o Added new e-commerce and phishing standards to
address the ongoing threats.
o Updated requirements for Sensitive Authentication Data
(SAD) secure handling.
o Added authenticated internal vulnerability scanning
requirement for a greater insight into organizations
vulnerability landscape.
13. Goals for PCI DSS v4.0
13
- Promote security as continuous process
- Promote security as a continuous process as
ongoing security is crucial to protect payment data
Example:
o Clearly assigned roles and responsibilities for
personnel working on each requirement.
o Added guidance across requirements to help
organizations better understand how to implement
and maintain security.
o Added new reporting option to highlight areas for
improvement and provides greater transparency
for report reviewers.
14. Goals for PCI DSS v4.0
14
- Increase flexibility for organizations using different
methods to achieve security objectives
- Provide more options and different validation methods
to increase flexibility for organizations to achieve
security objectives and supports payment technology
innovation
Example:
o Allowed the use of group, shared, and public accounts
with exceptions.
o Introduced targeted risk analyses that empower
organizations to determine the frequency of performing
certain activities.
o Introduced a new customized approach method to
validate PCI DSS requirements, gives organizations
another option to consider innovative methods to
achieve their security objectives.
15. Goals for PCI DSS v4.0
15
- Enhance validation methods and procedures
- Improve validation methods and procedures with
Clear validation and reporting options to support
transparency and granularity
Example:
o Increased alignment between information reported
in a Report on Compliance or Self-Assessment
Questionnaire and information summarized in an
Attestation of Compliance
17. Highlights of PCI DSS v4.0 Changes
17
Several small updates are
done across the
requirements with added
clarification or guidance.
Renumbered requirements
and testing procedures and
reorganized requirements due
to the addition of numbered
requirement description
headings.
Introduction of a customized
approach that provides greater
flexibility for entities using
different ways to achieve a
requirement’s security objective.
Introduction of targeted risk
analysis for various frequency-
based requirements and
requirements met with the
customized approach.
Introduction of 64 new
evolving requirements with 51
future dated (best practice
until 31 March 2025) and 13
immediate requirements.
18. PCI DSS v4.0 – New Requirements
18
PCI DSS v4.0 includes several new requirements to meet the security needs of the payments industry and
promote security as a continuous process.
PCI Requirement Ref. Requirements
All PCI Requirements Documented roles and responsibilities for all PCI activities
Req. 3.4.2 Technical controls prevent copy and/or relocation of PAN, when accessed using remote-access technology
Req. 3.5.1.1 Keyed cryptographic hashing for PAN
Req. 5.4.1 Mechanisms to detect and protect personnel against phishing attacks
Req. 6.4.2 Implementation of automated technical solution for public-facing web applications to prevent web-based attacks
Req. 6.4.3 Manage all payment page scripts that are loaded and executed in the consumer’s browser
Req. 8.3.6 Updated password requirements (A minimum password length of 12 characters)
Req. 8.4.2 & 8.5.1 MFA (Multi-Factor Authentication) for all access to CDE and MFA system secure configuration
Req. 10.4.1.1 Automated mechanisms to review audit logs for all CDE and critical systems
Req. 11.3.1.2 Internal vulnerability scans via authenticated scanning
Req. 11.6.1 A change-and-tamper-detection mechanism for payment pages
Req. 12.3.1, 12.3.2 A targeted risk analysis for requirements that provide flexibility and met with a customized approach
20. Option 1 – Standalone v4.0 Assessment
20
• The client environment will be
assessed against PCI DSS v4.0
for a standalone gap or
certification assessment.
• For PCI v4.0 assessment, the
Compliance Hub will have a total
of 100 or 105 questions (based
on the entity type).
Deliverables
• PCI DSS v4.0 Gap Assessment
Report OR
• PCI DSS v4.0 ROC, AOC, COC
22. Option 2 – PCI DSS v3.2.1/v4.0 Consolidated Assessment
22
• The client environment will be
assessed for PCI DSS v3.2.1
and v4.0 in parallel as a
consolidated assessment effort.
• For the combined assessment,
the Compliance Hub will have a
total of 110 or 115 questions
(based on the entity type) to
answer with an option to
maintain the independent review
status for the questions at the
PCI DSS version level.
Deliverables
• PCI DSS v3.2.1 ROC, AOC,
COC
• PCI DSS v4.0 Gap Assessment
Report with an update on:
• Where do you stand as per
PCI DSS v4
• Status of Immediate Controls
readiness
• Status of Future Dated
Controls readiness
• Customized Approach suited
(Yes/No)
24. PCI DSS v3.2.1/4.0 Consolidated Assessment
24
Standalone
v3.2.1 is 96
questions
Standalone v4.0
is 105 questions
Consolidated
assessment is
115 questions
Estimated 25% extra effort gets v4.0 completed in parallel with 3.2.1.
or
using ControlCase Compliance HubTM
31. THANK YOU FOR THE OPPORTUNITY
TO CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
contact@controlcase.com
Download PCI DSS 4.0 Cheat Sheet
Schedule PCI DSS Certification Discussion