Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: PCI-DSS 4.0
Quick Take
On this week’s episode of Compliance Unfiltered… ITS ALMOST HERE! PCI 4.0, having been rumored for more than a year and a half, is finally set to be released. Assessors will get the soft release in late January, the public will get the full rollout in March.
But YOU get the breakdown on everything related to version 4.0 NOW. From the new inclusions of PCI 4.0 to what impacts you can expect the update will to have on you and your business, this week’s Compliance Unfiltered is a must-listen episode!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome into another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one, the only, compliance legend and guru himself, Adam Goslin. Adam, Happy New Year. How the heck are you today? Happy New Year to you as well, and I’m doing fine, thanks. Excellent, I’m glad to hear it.
Well, we’re starting off kind of, I don’t want to call it season 2 exactly, but essentially season 2, year 2 of Compliance Unfiltered with a topic that is not only near and dear to our heart, but is also extremely timely. It’s that time, Adam. We’ve been talking about it for almost a year and a half now. It’s that time, PCI 4.0 is coming soon. Tell us about it. What’s going on? Well, there’s a lot of noise going on about 4.0, and it’s coming soon to a theater near us type of thing. And so the highlight reel, I think the way we’re going to end up doing this, Todd, is that this one’s going to intend to be kind of a, hey, what’s happening soon? We’ll probably do another one after the official release. We’ll be talking about that a little bit later. So this is really kind of the what’s coming soon highlight reel, and then we’ll get into a lot more depth, if you will, as we kind of go through this process.
So high level, there’s a soft release going over to the assessors and whatnot, and some other kind of key organizations in January of 2022. And, then the public rollout, when they actually officially release PCI 4.0, that’s planned for March of 2022. Now that said, you were mentioning about the whole notion of that we have been kind of talking about this for a year and a half. We’ve known this release is coming for some time, there’s glints and glimpses into functionality, things that are needed. So yeah, we’ve had our eyeball on this one for quite some time. And it’s been kind of fun because, I mean, when I started into the PCI space, I started under PCI 1. So yeah, I’ve lived all the prior versions, and now we’re at 4.0, so pretty cool. Indeed.
Well, as a veteran here, talk us through some of the highlights of inclusions in the new certification. So, the official releases notes are not out there yet, but based on what we’re seeing out of some of the draft information, rumblings, etc. It looks like they’re trying to do several things with 4.0, certainly aligning PCI with other security standards that are out there. A lot of folks will, integrate, prefer to leverage broad industry standards like NIST etc. So certainly, I believe there’s some alignment of PCI with some of the other standards that are out there.
They’re also, integrating some additional flexibility for organizations that are, I expect, this is probably going to come into play more for the big organizations, I don’t think smaller organizations are really going to want to go down this path. But, they’re opening up this new arena that they’re calling customized approach, where an organization has basically looked at the essence requirements that there are for a particular element of the standard, believing that they’ve got that in place. They’re opening up this customized approach methodology for organizations that want to basically say, hey, I’m meeting this standard, and here’s how we’re meeting it. Not quite a compensating control, but really more a process whereby they can define their legitimate meeting of the requirement, obviously in concert with their chosen assessor. So, the layering on of that customized approach option is going to be a new one.
Officially, moving toward the promotion of continuous security under the flag of PCI was really inferred. I mean, for those that kind of lived and breathed the space, especially getting into in the three versions, that notion of continuous security was effectively inferred, but I think they’re going to take a much stronger stance with promotion of that continuous security under 4.0. And then finally, with every version, they do enhanced validation procedures, additional clarity, online items, what does this stuff mean, etc. So there’ll be a ton of that coming as well.
Nice. Well, it sounds like both the continuous security piece, and the customized approach are really kind of the meat and potatoes of this upgrade. I’m excited to see what that looks like in practical application going forward. Because I mean, the idea of continuous compliance is something that we work on regularly here at TCT, so I certainly appreciate that. Now from a general standpoint though, Adam, what type of impacts can folks expect from 4.0, at least initially? Yep. With any change of a standard, there’s going to be a bunch of ripple impacts. Obviously you’ve got to go in and take a look at the new standard, figure out what things do you, and don’t you have covered. There’s always going to be minor enhancements to policies and procedures, specific elements that need to get implemented where there’ve been modifications to the standard, that type of thing. So, certainly those organizations that are dealing with this whole notion of moving to 4.0, they need to be prepared to align their existing compliance coverage under 3.2.1 and map that over to 4.0. That’s going to be an interesting experiment. Now in the past, the council has released a what’s new in 4.0, what changes have been made, trying to map 3.2.1 over to 4.0. And, from our past experience, having to review those documents. the one thing is, it’s cool to go in and look at the 3.2.1 to 4.0 guidebook from the council. But I would underscore to folks, that they really need to go and look at the actual 4.0 requirements, to make sure that they’re not just using the mapping doc, but actually going through and looking at the 4.0 requirements themselves.
I know that we found version changes in the past, that there were things that didn’t show up in the, what’s changed from version one to version two type of thing. And, we ended up finding differences in the actual standard, that weren’t called out in that mapping document. So certainly, one of the things that I’d recommend to folks is it’s great to go and kind of do the cliff notes version and read the general guide. And generally speaking, it’s covering the majority of, this stuff went away, these things got merged, this one is brand new, that type of thing. It’s cool to be able to use that, but I’d underscore, go and read through all of the 4.0 requirements, making sure you’re not missing anything.
Well, so what type of impact Adam, could you expect if you were an organization that was using a compliance management system similar to the TCT Portal in general? So for those that are leveraging some form of systematic automation from a provider like the TCT Portal, then those folks are going to have a huge leg up. For example, in the TCT Portal, the existing 3.2.1 clients that already have their tracks in there, will have built-in mappings that will already have all of that conversion work, ready to roll, basically push a button and poof, we can go ahead and translate your 3.2.1 over to your 4.0 track. And really, streamline both the analysis, as well as a lot of the effort, for making that conversion reality. The one thing that, especially with major changes like this, and if you’re already doing 3.2.1, but not leveraging a system today, my recommendation would be for ease, go in, check out systems that exist, get on board, load up your existing 3.2.1 track. Because that way, we can cleanly port everything from your 3.2.1 over to your 4.0 track when ready, especially for those that aren’t familiar with compliance management systems. One of my favorite, favorite expressions is that managing compliance sucks. And so, the whole reason why the providers are out there to give people systems, is so that they can make it suck less at the end of the day. And so, that’s certainly something that I recommend folks do, is go check out a system. We’ve talked about, I think in another podcast, and certainly some of the blog articles for TCT, the benefits and drawbacks of spreadsheet compliance versus systematic compliance.
And so, it’s just an interesting adventure, especially when you’re facing down a major change in baseline versions of a standard. That’s something that is certainly going to be a heck of a lot easier if you’re using a systematic style approach. Here’s the interesting part about 3.2.1 versus 4.0 ,is depending on the timing of when an organization’s 3.2.1 track kind of wraps up. So as an example, TCT proper, we undergo an annual third party assessment against PCI. Our audit cycle, as luck would have it, and I’ll be talking about this in a minute, but as luck would have it at the end of March. And so, reporting typically is coming out in the mid May timeframe. And so with that, we’re probably going to quickly switch into 4.0. But for other organizations, it may be that they’re annual timing is happening later in the year. They may want to go ahead and convert from 3.2.1 to 4.0 during the middle of their cycle. Generally speaking, it’s a lot easier to switch your track from a prior version, to new version at that break between years, because then you’ve got time to go in, do the analysis, do the assessment, get staged, get all your I’s dotted and T’s crossed. It’s not a super quick, easy process, but at least that’ll allow some time for that adoption as they go through.
We’ll talk to me a little bit, Adam, about, as we mentioned earlier in the podcast, the continuous compliance piece. Now I know that seems to be something that’s coming up a lot, but I feel like, this is something that’s been near and dear to your heart for a long time. Oh, it, yeah, it honestly has. I kind of chuckle at the fact that people, Oh, continuous compliance and blah, blah, blah. We’re getting all these buzzwords out there and whatnot. It seemed to be taking over. Part of my frustration, and this goes back a long time. I’ll kind of quote out the timeline here in a minute, but I was getting tired of helping organizations get compliant, showing up to the annual audit, and lo and behold, the client forgot to do fill in the blank or, Oh geez, you mean that I actually need to do that quarterly thing each quarter, that type of thing. I was getting frustrated with trying to help clients manage and maintain their compliance appropriately, not wanting to endure any kind of heartache going through the annual audit process. And so, I was actually looking at the timing, it was almost six years ago when we bolted in the notion of continuous compliance into the TCT Portal, just so that we could proactively help clients manage, and maintain all of the things that they’re supposed to be doing throughout the year. And, I’m real glad that we made that change back in the day. And actually, it does warm my heart to see that light bulbs are starting to go on for people that, Hey, this isn’t such an odd ball idea, that you should be curating and managing your compliance appropriately all year long. For sure.
Now switching gears just a little bit. And, one of the things that we deal with regularly here at TCT is the difference in the conversation that’s had for what we would consider applicant clients, or clients coming up against the PCI standard, versus the assessment firms that we work with. And I’m curious, what type of impact will 4.0 have on these two different sectors, both the organizations looking to go through it, and the assessment firms looking to handle these assessments for their clients? Well, for the applicants, the terminology we like to use for those applying to be certified, or subject to compliance. The one thing that I would say to them, and it’s more of a general statement, just a reminder about them and managing their compliance.
I mean, part of the reason why I wanted to step into the security and compliance space is because I had to manage engagements by hand. I had to manage them with a spreadsheet. I had to manage them with a drop box, and it’s just mind numbingly painful and a huge waste of time. And so, it’s a good part of the reason why we wanted to build a system for folks to be able to leverage. Taking this opportunity, when we’re staring down 4.0. For every single organization out there that’s currently managing their stuff with a spreadsheet, or with a drop zone, to go put files into whatever orchestrational system that they leveraged. Well, every single one of these organizations is now looking at having to go in and retool. The reality would be, I would have to go and spend time retooling that particular system. No, nope, nope, nope. I wouldn’t, its just a gigantic waste of time. So many organizations are tight on resources. They don’t have enough people as it is, it’s hard enough to keep the people you’ve got. Do you really want to be blowing time on rebuilding your tracking and management system for your compliance? The easy and quick answer is no. So, for those that are going through it, just keep in mind, you want to have control, and direct access to your compliance data, this is your data, about your compliance, you own it. And, I don’t ever want an organization to feel subservient, or held hostage by their consultants proprietary system, or their assessor’s proprietary system. The bottom line is, this is your data, your information, take ownership of it. Do it in a way that’s going to streamline the internal impacts to your organization, and take advantage of that. Stop wasting time and resources doing a lot of this manual heavy lifting. For a lot of these organizations, they really don’t understand just how much time they blow internally, whether it’s through the person that’s doing the management maintenance of their certification, or all of the various people in all the various departments that have to be involved. It’s a huge time suck. And so, I really don’t want organizations to continue doing it that way.
For the assessors out there. I mean, we’ve got dozens, and, dozens, and dozens of end organizations, and assessors that leverage TCT Portal. For those assessors that leverage TCT Portal, it’s a breeze going from 3.2.1 to 4.0 engagements. Because TCT helps them through, mapping their engagements from 3.2.1 to 4.0, helps them with transitioning their templates, getting their engagements configured and set up, that type of thing. All of the just fantastic experiences that they’ve had with TCT, both as a solution provider, as well as from a customer service perspective. They can expect that’ll just continue through 3.2.1 to 4.0, but it’s going to make their life a hell of a lot easier. So, and that’s great to hear, honestly, like understanding the types of conversations that they are having, or that are being had around that topic, it’s going to make a significant difference.
So I guess the next significant difference that I’m looking to make on this podcast is to understand what’s next. So when is the next 4.0 update expected, and what can people do to prepare for that? Yeah. So the next TCT 4.0 update is that we’re going to be releasing 4.0 as soon as version 4.0 is released to the public. I mean, you can expect a very swift update from TCT literally within days of the public release. We have a ton of assessors and applicants that use PCI, either as a security framework for kind of governing their security compliance engagements, or they’re directly subject to it. So effectively as soon as they do that announcement in March, we will immediately, and effectively, pull internal resources, whoever we need to go get the work done, to get PCI 4.0 up and ready to go.
We’ve been preparing, functionally preparing for the 4.0 release for the better part of a year in anticipation. So, as soon as that’s out there, we’ll go through and we’ll do the conversion work. We’ll get the new standard in, do all the mappings, we’ll get all of that work done pretty expediently. And then, in all likelihood for the podcast, once we’ve gotten through that process, and had some time to do some additional deep dive analysis, things like that. My expectation is, that probably sometime in April, I don’t know, maybe the second week of April, sometime in there, we’ll do another podcast with more of a deep dive into the detail behind some of the modifications, and changes that we came across, as we were going through, getting it configured and mapping 3.2.1 to 4.0. So that we can help educate our listeners as to things that we’ve learned, as we went through that process. Well, that’s fantastic.
And really I don’t know that an organization could be asked to do more than that at this stage, because again, all of us are kind of in that phase where we don’t know exactly what we don’t know until it’s actually here. So, the fact that TCT is even preparing to do this much says a lot. Cool. Yeah. I mean, I cut my teeth in the PCI arena. It’s been something that I’ve been closely aligned to for well over a decade. So, we have a ton of people that leverage it. So yeah, it’s something that’s really, really important to TCT, important to our customers, and something that we’re pretty passionate about. So, we’re excited to basically help and facilitate the experience of those that are trying to navigate the shift to 4.0. There’s going to be a ton, an absolute ton of upheaval out there as we’re going through this. Anytime they do these major changes, I mean, you think about it, right? Every single organization known to man that’s associated with the security and compliance arena, specifically to PCI is busily gearing up and making changes. So, I mean, even the scanning organizations are going to have to go in and make tweaks and modifications for the new requirements. So, this is going to be a pretty impactful modification for the industry. So, we’re just glad to be on the leading edge. Absolutely.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
