PCI DSS v4.0 Goal 4: Enhance validation methods and procedures

At a glance

The main takeaway: PCI SSC has issued a 360-page supplemental Requirements and Testing Procedures document. This document provides QSAs extensive clarification and guidance to enhance validation methods and procedures for PCI DSS compliance reporting.

Impact on your business: The PCI 4.0 Requirements and Testing Procedure document provides detailed guidance and explanations of each specific PCI sub-requirement. It serves as an essential educational resource for any person or entity responsible for PCI DSS compliance.

Next Steps: Version 3.2.1 will be officially retired on March 31, 2024. Until this date, entities can select between version 3.2.1 or version 4.0 as the standard to demonstrate their PCI compliance status. Due to the considerable changes in version 4.0, Aprio believes it is in the best interest of your business to begin your transition to PCI DSS v4.0 as soon as feasibly possible.

The full story:

In this video, we will highlight changes made in PCI 4.0 to enhance validation methods and procedures. The release of PCI DSS 4.0 includes extensive clarification and guidance to enhance the validation methods and procedures employed by QSAs when conducting and reporting on PCI DSS compliance.

Much of this clarification is embodied within a supplemental document issued by PCI SSC entitled “Requirements and Testing Procedures.” To say that this 360-page document is extensive and informative, is surely a significant understatement.

PCI v4.0 essential reading

PCI SSC’s Requirements and Testing Procedures document provides extensive guidance on all aspects of the validation process. This includes guidance for the Customized Approach and detailed considerations for defining the PCI CDE scope we highlight in a related video. This document also provides definitions of relevant PCI terms.

This document also provides outstanding explanations of each specific PCI sub-requirement. In addition to this explanatory guidance, the document defines the purpose of each requirement, good practices and examples to fulfill the requirement assuming the entity is using the Defined Approach discussed in another video.

We expect that this very extensive clarification of PCI validation methods and procedures will promote greater consistency and effectiveness of PCI DSS examinations. We also think that the document will serve as a terrific educational resource for any person or entity responsible for PCI DSS compliance.

PCI v4.0 Report on Compliance (ROC) structural changes

PCI SSC also made significant changes to the structure of the Report on Compliance (ROC) for 4.0 to improve its effectiveness and usefulness. Three significant changes are as follows:

1. The ROC summary and associated AOC will now highlight whether the Customized Approach was used for some portion of each of the 12 requirement categories.
2. In keeping with the theme discussed in another video related to security as a continuous process, there is a new finding option of, “in place with remediation.” This was added to provide more transparency to the reader of the ROC and associated AOC as to the effectiveness of the controls throughout the compliance period,
3. The ROC and associated AOC are now structured to facilitate a Partial Assessment, in the event an entity needs to validate a limited scope of the ROC.

Related resources:

• The 4 Goals of PCI DSS v4.0: Executive Summary
• PCI DSS 4.0 Goal 1: Continuing to meet the security needs of the payment card industry
• PCI DSS 4.0 Goal 2: Promoting security as a continuous process
• PCI DSS 4.0 Goal 3: Increasing flexibility of methods to achieve security objectives