Insights |

PCI DSS v4.0 Implementation: Harnessing Business-as-Usual Approaches for a Smooth Transition

September 28, 2023

At a glance

  • Main takeaway: PCI DSS v4.0 is here and consists of several new and complex requirements. Discover how you can jumpstart the implementation into business-as-usual processes and implement PCI compliance into your information risk management program.
  • Impact on your business: Security leaders wish to reduce the costs of compliance, without sacrificing security. Implementing strategic business-as-usual processes can help streamline PCI DSS v4.0 compliance and enhance your security posture.
  • Next steps: Aprio’s Information Assurance Services team can help you streamline multiple assessments, simplifying and automating some processes, and support a streamlined security compliance program.
Are you ready to learn more? Schedule a conversation with our team.

The full story:

What is BAU and how can we apply the concept to implementing a PCI security program?

For over 10 years, the PCI Security Standards Council (SSC) and leaders across the security industry have advocated for a business-as-usual (BAU) approach to implementing PCI DSS. The concept of BAU is simple and nothing new. It refers to the day-to-day activities of a business that are necessary to maintain its operations. BAU applies to all divisions of an organization, and in the realm of information security, we may think of these as the ongoing security operations and recurring governance activities that must take place to secure the data and assets of an organization.

PCI DSS v4.0 advances PCI’s philosophy on this matter, as we see a greater emphasis on requirements that compel the entity systemization further than PCI DSS requirements.

When treating a PCI DSS assessment as a once-a-year project, achieving PCI DSS v4.0 compliance can feel like a daunting task. The real intent of PCI DSS is to encourage entities to integrate PCI compliance into the fabric of their organization-wide security and compliance processes.

Effectively integrating PCI DSS v4.0 requirements into BAU processes

For the past five years, PCI DSS v3.2.1 has been the industry standard, but on March 31, 2024, PCI DSS v4.0 becomes mandatory for all organizations, and goes into full enforcement on March 31, 2025. The updated standard introduces 66 new requirements. These requirements include additional technical safeguards as well as several new processes related to security program governance and information risk management.

These new processes have the potential to introduce a considerable amount of burden on some teams, especially smaller organizations, such as high-growth technology companies and startups. The best way for these companies to minimize their compliance burden is to integrate PCI-related controls and processes into their BAU processes. Let’s walk through the process of identifying which requirements can and cannot be mapped into pre-existing business processes.

Best practices and strategies for integrating PCI requirements into BAU

The first step in successfully streamlining PCI requirements into BAU processes is mapping your applicable requirements to your internal control catalog.

No Internal Control Framework – No Problem

If you are part of a startup or emerging organization and do not have an internal security control catalog, don’t fret. Getting started is easy. Book a quick 30-minute consultation with me and I’ll walk you through everything you need to get your security program started on the right foot.

The goal is to map as many PCI requirements as possible to pre-existing processes and distribute ownership of these requirements across the business to the most logical owners. This could be coupled with a breakdown by business unit owner, and whether the requirement can be automated or must remain a manual, recurring process. For example:

Figure 1: Example PCI v4.0 Mapping to Internal Control Framework
Identifying requirements unique to PCI DSS v4.0 to be integrated into BAU processes

PCI DSS v4.0 incorporates many requirements that integrate neatly into enterprise-wide BAU processes. In fact, most of the requirements included in PCI DSS v4.0 align to popular information security frameworks such as ISO 27001 and the NIST CSF, but there are a handful of requirements specific to the PCI DSS that must be integrated into a larger security program or completed specifically to satisfy PCI DSS.

Once you have completed mapping the PCI DSS v4.0 requirements to your internal control framework and BAU processes, you must identify the remaining applicable requirements and a way to integrate them. We will cover some examples and ideas for integration into BAU processes in the table below.

Integrating PCI specific requirements into BAU processes

As stated above, many PCI DSS requirements neatly map to requirements present in common information security frameworks typically adopted by organizations to govern their information security program. But there are a couple of items unique to PCI that organizations will need to identify ways to integrate into complimentary BAU processes.

PCI Req.DescriptionBAU Integration Opportunity
1.2.3-.4Maintain accurate network and dataflow diagrams of the CDE.Develop a subset of PCI specific diagrams and update them in conjunction with enterprise-wide diagrams.
9.5.*Maintain POI device inventories, perform training and inspections.Integrate PCI and POI device training into enterprise-wide training programs. Maintain POI device inventory as part of the larger IT asset management program.
11.3.2-2.1Complete quarterly PCI ASV scans.Integrate PCI ASV scans into the larger security operations program and update vulnerability remediation SLAs to meet or exceed the PCI baseline requirements.
11.4.5Perform segmentation testing on the CDE periodically.Integrate segmentation testing into the security operations program, as part of vulnerability scanning and pen testing operations.
12.3.1-.2Perform Targeted Risk Analysis (TRAs) for all applicable requirements identified by PCI, to PCI’s minimum specification.Review the TRA guidance and integrate the process into the entity’s existing information risk assessment process.
12.4.2Service providers must perform independent reviews of select controls required by PCI every three months to ensure operating effectiveness.Integrate internal independent reviews into an internal audit program. Seek out methods of providing automated checks to confirm the operating effectiveness of PCI related processes.
How Aprio helps organizations track their recurring security compliance activities

Aprio helps its PCI clients operationalize security compliance tasks, and support BAU integration through its assessment platform. This is achieved through the implementation of a compliance calendar and task management system that ties recurring tasks directly to their applicable requirement and their audit artifact. A task can be associated with a company process, or specific compliance requirement. The choice is up to you.

Tasks are assigned an owner, and its frequency of operation is set. As tasks come due, a teammate is reminded that it needs to be completed and presented with guidance and an easy link to provide the supporting artifacts to demonstrate their completion.

This helps prevent missed deadlines and processes and reduces assessment and audit burden.

The bottom line

There are many converging factors making the integration of security compliance frameworks like PCI DSS v4.0 into BAU processes complex, but a necessity. Factors driving BAU integration include:

  • Continued and rapid escalation of security threats targeting high value environments, especially card data environments.
  • Increasing expectations of stakeholders (i.e., customers, prospects, investors, board members and insurance providers) that entities can demonstrate effective security and compliance programs.
  • Expansion and evolution of security frameworks, which continue to make security management and demonstrating compliance more burdensome and expensive.

Entities must begin unifying the various security frameworks applicable to their organization and integrating the processes into their day-to-day operations to achieve efficiencies, reduce compliance costs and ensure ongoing operating effectiveness of the control environment.

Aprio’s Information Assurance Services team can help you streamline PCI DSS v4.0 implementation into BAU processes. Schedule a consultation with our team today.

Related Resources/Assets/Aprio.com articles/pages

PCI DSS v4.0: New MFA Requirements

About Aprio’s Information Assurance Services

Are you ready to learn more? Schedule a conversation with our team.

Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Subscribe

Stay informed with Aprio. Subscribe now.

Recent Articles

>

3 GSA Trends in the Office of Inspector General Audits and Investigations

>

How ISO 27001 and 27701 can help address client’s GDPR needs

>

Navigating the Nonprofit Landscape: Information & Communication Components of Internal Control Frameworks

>

Understanding the Contrast: IRS Rules on Allocation of Intangible Property Income vs. OECD DEMPE Rules

About the Author

Shane Peden

Shane Peden has more than 10 years of experience in information security services. He works with CEOs, CFOs and CIOs, concentrating on high-growth technology companies and startups operating in a variety of industries. Shane has extensive experience helping clients successfully scope, plan, implement and obtain their information security certifications, such as PCI, HITRUST, ISO 27001 and SOC 2.