Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Moving to PCI 4.0
Quick Take
On this episode of Compliance Unfiltered. Adam gives the listeners an in-depth view of what to expect from the impending switch to PCI v4.0. The March 31st deadline is fast approaching, and the CU guys want listeners to be properly prepared.
Curious how hard the transition will actually be? Wondering what to do if your recertification date falls outside the standard April-May window? Looking for tools to help in your transition?
All these answers and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the master Florence. To your compliance bouquet, Mr. Adam Goslin. How the heck are you, sir? I don’t think I’ve ever been called a master florist. That’s fun. I’m doing good, Todd. Always so. I can’t complain, sir. I can’t complain. Now, today we’re going to jump right into it. And that is, the deadline is vastly approaching that of 331-2024 for filling out PCI 3.2.1 paperwork. What do folks, Adam, need to know now regarding the transition to PCI 4? Well, at a high level, you’re correct. That deadline is fast approaching. Most organizations have been dragging their feet and da-da-da-da. But the reality is that the time for putting it off is certainly past at this stage of the game. Organizations in the PCI space need to turn their focus to, what the hell do we do here? The reality is that folks can sign off on PCI 321AOC until the end of March. And for everybody that has an annual date that falls on April 1st or afterwards, then you have to go against. So if you haven’t already gone down the path of making the transition, I know for the folks that are better listeners, certainly those that are in the assessor space, they have been seeing a pretty big pickup in terms of people starting to have that kind of oh-shit moment. And they are also seeing a pretty heavy push of people wanting to get their stuff wrapped up before the end of March. So the assessor world is certainly hopping. And for the companies that are subject to compliance, they really need to get their game together in terms of getting through this process.
Now, how hard is it going to be for folks to make the transition to PCI 4.0? That’s really the question that everybody wants to know about. Well, switching is going to be interesting as organizations go. A lot of companies are surprised at how much needs to change, how much do they need to gut about what they’re doing. There’s a lot of planning, a lot of analysis involved in making the transition. Certainly, if you’re lucky enough to have an assessor, it’ll require a lot of conversation with them. As you go through the process, certainly, if you are not an organization that leverages an assessor, it’s going to take time and effort to get your arms around the new requirements, figure out impacts to your organization. You’ve got changes to your policies, procedures, and rounds of confirmations, and double-check scope confirmation. You know, the reality is that if these organizations that are about to go through this process, if they’re using kind of a spreadsheet approach to how they do what they do, they’ve got literally hundreds of hours that of work out of them. You know, not 100 or 200, but they could be in the 400 or more hours range when all is said and done, just trying to get themselves prepped and prepped and ready to head down this path. You figure that compendium of work, it includes a lot of different moving pieces and parts. You know, they’ve got to go down and identify what’s new and different about PCI4. What do each of the new requirements mean in their circumstances? Figuring out of the totality of requirements for four, what do I already have sorted out? They’ve got to basically map their existing controls from 321 over to PCI4. They need to figure out what adjustments they need to make to their policies and procedures. They’ve got to go in and gut and replace their, you know, tracking and management system for how do they, you know, go up against this new standard. You know, any tracking systems or storage locations that they’ve got for how they do what they do are going to need to be revamped for four. You know, building out their strategic plan for the transition, assigning tasks to, you know, to all the various people, tracking and reporting their progress along the way, you know, and certainly reporting their progress up to leadership.
You know, these are all internal elements to every organization that’s in the system. going to be going through this process is going to need to face and resolve as they kind of make this transition. And for those that are dealing with an assessor or QSA, Qualified Security Assessor, they also need to then also coordinate with them. It’s certainly not going to be as quick and easy as it was to do your recertification under PCI 321.
There’s going to be a lot of back and forth as they kind of get their arms around the intricacies of PCI version 4. What should folks be doing if their annual AOC date is in April and May of this year? Yeah, yeah, yeah, you’re I mean, honestly if you’re in early April you’re as you’re as few as three months away from this You know type of thing So, you know if you’re if your signature date on your AOC is in that April or May timeframe You and you haven’t started this yet, man You have a ton of work that needs to get done in a very, very brevi abbreviated period of time You know, you’re gonna need to get through all of your transition get everything buttoned up,
you know And whatnot in as little as three months It’s, it’s going to be Unbelievably challenging to navigate those waters You know the, the, the one Recommendation or one point of consideration for these companies, especially if they haven’t even started You may want to consider drawing your date forward Draw your date forward and get your three two one paperwork signed off I understand like let’s say that they’re in a you know in in late May or something is our annual date, you know for signature I understand you’re gonna basically make this year’s cycle for three two one, you know Nine or ten months instead of you know, a full twelve months There’s nothing stopping you from going in and resigning in advance of that 331 You know, I’ve seen a lot of organizations that are pushing now pushing their annual assessment date forward on the calendar You know kind of ahead or earlier on the calendar So that they can you know, just go ahead fill out all of their paperwork in March, you know And that way they effectively buy themselves a year to go through the you know, go through the transition You know, so it you know if you do You know go in sign off on your AOC the one thing for for organ early The one thing for organizations to keep in mind is you’re, you’re now effectively pushing up, you know, this this compendium work you otherwise probably would have been doing, you know, March through, you know, March through early May, you know, honestly is now work that’s going to get pushed into your January to, you know, January to March timeframe. You know, so keep in mind that, you know, you’re going to have some stress and some strain on your internal personnel by making the attempt to shift that date forward. It’s going to be, it’s not going to be easy, but maybe easier than, you know, than contemplating, you know, pulling an entire transition to four out of your Fannie, you know, over that same period of time.
You know what I mean? I certainly do. Now, what about folks who have their annual compliance recertification date, like later in the year? Well, for them, it’s a different math problem, right? You know, if your AOC is in July or August, you know, you’re not as under the gun as those people that have April or May dates, you know, but, you know, again, it’s going to take them more time than they think. And I can tell you that even six months isn’t going to be, you know, oh, yeah, now we got tons of time and blah, blah, blah. It’s not going to be a comfortable path. You know, really, you know, for those organizations that are in, you know, that have, you know, research dates very late in calendar Q2 slash Q3 or Q4, you know, certainly for those late Q3s and sorry, the late Q2s and early Q3s, you know, it’s going to be it’s going to be a pressure cooker to try to get through, you know, get through it. Certainly, the organizations that are using spreadsheets, their own whatever, you know, SharePoint or, you know, network drives to store all their stuff that need to get overhauled and whatnot, those organizations are likely to feel the greatest amount of pain, you know, just because they may now need to go in and not only recreate their, their systems and management tracking and blah, blah, blah, blah, but now they also have to go through all the other tasks that I just went through. You know, if you’re if you’re in a Q4, you know, type timeframe, you’re in a better position. But you know, you don’t want to be wasting time, you know, as you’re, you know, kind of as you’re heading down this path. Certainly, I’d recommend to you to organizations, if you haven’t started on your PCI four, get freaking started on it, because, you know, it’d be a hell of a lot better situation to have, you know, have a sense of comfort and have everything, you know, all set, you know, in advance of, you know, of basically having the proverbial, you know, kind of gun at temple, if you will.
Most definitely. What, what tool sets should listeners put consideration into regarding the transition? Well, you know, I mean, just, just for clarity, there are literally 2000 more checkboxes to check on this version. Yeah, yeah, I, you know, there’s, I think in totality, there’s almost 600 different moving pieces and parts for, you know, for, for a PCI four, you know, run that doesn’t even count. how many more come into play when you start turning a PCI four track into operational mode. You know, the one thing that the organization certainly tooling, you know, is an element of this equation, which has the capability to either make your world monstrously more painful or monstrously less painful. You know, life is full of choices. You know, the difficulties with manual systems is, you know, even if you have this homegrown system that you spent years perfecting before PCI four, you know, you’re gonna need to make a whole bunch of fundamental changes, you know, to be able to get, you know, this cycle to run effectively. Good morning. And, you know, you’re gonna have to do a bunch of work to get things, get things lined up so that they, you know, so that they’re working correctly. You know, and it’s probably gonna be quite the mess. You’re gonna be spending a bunch of resources and indirect dollars, you know, on the effort of, you know, of the retooling, you know, and whatnot. And the one thing that the organization should put into consideration is, do we really want to invest in that adventure? Or do we want to, you know, just take those dollars and put them toward actual physical tooling that will help? You know, the other thing for organizations to keep in mind is that, you know, whether they’re going up against PCI, PCI four, PCI four is gonna turn into PCI four point something, eventually turning into PCI five. You know, for organizations out there that, you know, are dealing with PCI and other certifications, let’s say an organization that’s going through SOC and HIPAA and ISO, you know, as an example, All of those standards are going to be changing as well. So you have a more and more complicated landscape for what we need to be able to support through the process. So that said, for those that are looking for an easier transition, certainly tooling sets like the TCT Portal, Compliance Management Systems, they’re built literally to be a godsend. You’ve got a whole bunch of capabilities at your fingertips, including if you’re on this quick push to go through your 3-2-1, then go ahead and use a Compliance Management System. Do your 3-2-1 on that system. And that way, you’ve got the ability to do a number of different things that fall right at your fingertips, things like automatically mapping your PCI 3-2-1 into a 4, being able to have reference material as you’re going through for what you did the last time on similar controls under 3-2-1. Who did what? Who did which particular elements and items? You’re able to instantly tell things like, what items is it that we don’t have covered? You can tell that simply when you’re taking advantage of tooling and tool sets.
Additionally, through Compliance Management Systems, you’ve got a number of different other assets and elements that are literally right at your fingertips, such as the guidance from PCI for each associated line item is instantly available. If you have an assessor that’s leveraging the TCT portal, you’ve got their instructions. Their examples are immediately available. All of your internal notes, assignments, what evidence did we use on the last go-around on similar controls are immediately there and ready at your fingertips.
There are just a ton of positive capabilities and quite frank. you know, the whole reason that organizations built these tools is to save companies from, you know, the, the sheer waste of internal time, internal resource, you know, that they would otherwise blow on, you know, on revamping, you know, their, you know, kind of their, their, their internal, internal systems. It’s just makes a, it makes a lot of sense for organizations to seriously consider, you know, leveraging a compliance management system to manage their compliance instead of, you know, their manual or semi-manual processes, you know, from the past. You know, there’s a lot of organizations that I’ve talked to over, you know, over the years that spend an inordinate amount of time on, you know, Excel macros and, you know, automation related to what they needed to do, etc. You know, you got to remember this isn’t simply just getting your, you know, getting your sheets and your storage locations up to speed. If you’ve got any manner of additional automation that you layer on top of your either manual or semi-manual process, you have to go in and gut revamp all that as well. I don’t know, man, I’m a giant fan of not wasting time. And it’s part of the reason why I started this company and why I stepped into the space to try to help people make compliance management suck less.
Most certainly. Parting thoughts and shots for the folks this week, Adam. Well, the bottom line, if you have not gone down the route of making your transition and getting those wheels in motion, I know right now we sit very early in 2024, but it is astounding how fast time is going to fly and how quickly your organization is running out of runway to be able to do what you need to do. Organizations need to take this seriously. They need to sit down and look at their current state and really efficiency as they go through this process is certainly, certainly, certainly key as they go down this path. I can’t underscore it enough for those that haven’t really contemplated the notion of leveraging compliance management systems, please do yourself a gigantic favor and just go take a look. Honestly, when you sit down and you look at how many dollars, time, indirect dollars are just going to go into the garbage can as you go ahead and make even just the move from three, two, one to four, the cost of a compliance management system is going to be a drop in the bucket compared to how much internal time you’re going to waste. And honestly, the diversion from, for most organizations, what’s the most damn important thing that they want to do? I mean, I hear this time and again. Yeah, I’m a gigantic fan of security. and compliance. And yet, I hear, you know, I hear from organizations, you know, this notion that, well, we got to, you know, we got to go ahead and check the box for our compliance stuff again. You know, most organizations don’t want to waste their time, you know, in their mind’s eye, waste their time, you know, on the security and compliance stuff. They just, they want to be able to go in, do what they need to do, do it correctly, etc., and, you know, and get back to, you know, you know, kind of what they perceive as their real work or their real job. You know, our real work and our real job is, you know, making this company saying and doing our operational tasks and blah, blah, blah, you know, which, which that’s the similar mindset that I’ve got to the, you know, to the benefits of. Heading down the route of compliance management systems It’s it is literally a way to achieve the objectives that the companies are wanting to achieve anyhow It’s just many of them haven’t gone down the path. They haven’t taken the time to explore it They haven’t taken the time to think about you know What are the going to be the real material benefits of moving to the system? I’ve set it on prior pods that we’ve done and, and other blog articles that we posted, you know you know one of the biggest advantages to Leveraging these types of systems is that capability in really in year two plus? To be able to very cleanly look back at what did we do last time around who did it last time around? What was the evidence that worked last time around? you know as companies transition from three to one to four and Transition from you know for this year to for next year That’s really where the, the real material benefits of compliance management systems come into play You gain a lot in your first year But honestly you gain a lot more in year two plus as you go down the path You know if the benefits just keep adding on to each other because you know One of the things that I had at a conversation with an organization Who if they had a couple of key people some of the people that were producing a lot of their compliance evidence? Ended up for whatever the reason may be transitioning away from the organization and You know in those cases Those organizations didn’t have to freak out about oh jeez who did what oh gosh what you know What evidence was supplied you know who was doing which items all they had to do is go back to their systems and go in And look and I don’t know we’ll see Bob was the it was the person that was key last year. That’s no longer there You know they could literally go in and say okay. What all items did we have Bob? doing, a Bob’s job, you know, who’s taken over for those. So these are the people now that need to pick up these various pieces.
And for those new people coming in that now need to get their arms around what the hell did Bob do last year, then it’s everything’s at their fingertips, they literally can go in and look and see what worked for Bob last year, what was the assessor looking for?
You know, what do we need to go in and generate and garner, you know, in terms of evidence that you know, that’ll please the, you know, please their assessor or their compliance consultant, you know, all of this stuff is literally at your fingertips.
And it is just, it’s almost like the gift that keeps on giving once you get to year two and three, you know, the material benefits of those organizations that saw the light and headed in that direction. You know, it’s, it’s a lot of fun to see the light bulbs going on with organizations that have made that transition.
Yes, indeed. And that right there. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow, and I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
