PCI DSS v4.0 Goal 2: Promoting security as a continuous process

At a glance

The main takeaway: Historically, PCI has been viewed as a point-in-time compliance standard and this explains why many entities have not established capabilities to treat PCI security as a continuous 24×365 process. PCI 4.0 establishes new requirements across the data security standard for security to be managed as a continuous process.

Impact on your business: PCI version 4.0 includes requirements for security roles and responsibilities to be defined, documented, assigned and understood by all security personnel and how security policy is communicated to all personnel. There are also new requirements for the frequency of the documentation and confirmation of PCI DSS scope for both entities and service providers.

Next Steps: Version 3.2.1 will be officially retired on March 31, 2024. Until this date, entities can select between version 3.2.1. or version 4.0 as the standard to demonstrate their PCI compliance status. Due to the considerable changes in version 4.0, Aprio believes it is in the best interest of your business to begin your transition to PCI DSS v4.0 as soon as feasibly possible.

The full story

PCI has long been regarded as a leading technical security standard. However, compared to security standards such as the NIST Cybersecurity Framework, or the ISO 27001 standard, PCI DSS has had less emphasis on the people or governance side of security. This has in turn contributed to the PCI DSS often being viewed as a point-in-time compliance standard. This explains why many entities have not established capabilities to treat PCI security as a continuous 24×365 process.

Security personnel roles and responsibilities

In our view, what could be the most significant change represented by Version 4.0 is how it now establishes requirements across the DSS for security to be managed as a continuous process. Version 4.0 accomplishes this by addressing two aspects of roles and responsibilities. The first relates to those personnel performing security-related activities. For this group of people, the standard requires the entity to ensure that their roles are documented, assigned and understood.

Security awareness training

The second aspect supporting maintaining security as a continuous process relates to how the Information Security Policy must now address how all personnel are made aware of and acknowledge their information security responsibilities.

The net result of these new requirements is that every person across the organization needs to know, understand and acknowledge their security responsibilities – whether they are a technical administrator or casual user. In our view, this enhancement to 4.0 is the most effective means of promoting security as a continuous process.

The frequency of PCI scope definition and documentation

Finally, another significant change in version 4.0 related to promoting security as a continuous process, is the requirement for entities to document and confirm the PCI DSS scope at least every 12 months, and upon any significant change to the CDE. For service providers, the requirement is to confirm the scope every six months and upon significant changes.

This sets the expectation that scope definition and associated controls are continuously updated and confirmed, and in so doing , this is another very important means of promoting security as a continuous process.

Related Resources

We have created a series of videos to drill down into the purpose and intent of these goals and the changes represented in 4.0 to achieve these goals.

• The 4 Goals of PCI DSS v4.0: Executive Summary
• PCI DSS 4.0 Goal 1: Continuing to meet the security needs of the payment card industry
• PCI DSS 4.0 Goal 3: Increasing flexibility of methods to achieve security objectives
• PCI DSS 4.0 Goal 4: Enhancing validation methods and procedures