PCI DSS 4.0: How to Delight the Auditors
While we all know the actual point of PCI is vastly more far-reaching, we can’t deny that the juggernaut of PCI DSS 4.0 compliance is getting past the auditors. However, there is a right way to do it that doesn’t just check the box – it creates the underlying business operations that enable you to pass an audit any day, at any time, with just the processes you have in hand. Here’s how.
The PCI 4.0 Challenge
First, we have to understand the challenges of the new requirements we’re working with and why they might present auditing challenges in the first place. To those who don’t understand the intent of PCI 4.0, it might seem like you have to do less. To those who do, they understand that they very well may have to do more. This latest iteration of the PCI DSS compliance standards is vague, and intentionally so. It does not aim to confuse – it aims to give organizations enough room to customize.
Take the healthcare industry, for example. It would take years of specific industry-specific expertise to craft standards that not only protect data at large (within the finance and payment aspect) but that adhere to all the overlapping health data privacy requirements. Not only would this take an inordinate amount of time and research, but the standards would no longer be widely applicable. The solution, then, is not to ram another set of meticulous specifications down the throat of every different industry, but to leave it open to interpretation and just present the rules.
The point, roughly hewn, is to move towards more of a Zero Trust approach in PCI DSS compliance standards. In recent our recent webinar, Insights for Navigating PCI-DSS 4.0 Milestones, our guest panelists discuss the likely probability of an intersection between the two, and PCI 4.0 is a definite step in that direction.
The challenge, then, is to understand how the latest PCI DSS standards apply to your organization and create the policies that both honor those differences and pass a unilateral audit. To do this, you really have to internalize what the new PCI 4.0 standards are asking, the spirit of the law if you will, and then know your organization enough to implement the changes that will deliver on those requests.
How to Always Be Audit Ready
Maintaining an audit-ready environment should feel more like daily clean-ups than yearly spring cleaning. All too often, companies find themselves up against the clock, scrambling in a two-week sprint to gather all the necessary documentation – only to promptly file it away and forget it again until the next year.
The main point of PCI 4.0 is that that is not the point. These compliance standards should be part of the walk and talk of an organization with security always at the forefront, and there are a few helpful tips for baking in compliance:
- Define and align PCI 4.0 with business goals. This is key. You and your stakeholders need to see PCI 4.0 as not just a security measure, but a business objective. Because really, it is. If a company is not compliant, chances are it is not secure. If it is not secure, it’s at risk of, say, a ransomware attack. If a ransomware attack hits, the company loses potentially millions in profit. It’s a business issue now. Leaders need to understand this – the entire company needs to understand this – and once they do, getting buy-in won’t be nearly as daunting a task.
- Get the right stakeholders. Sewing in PCI 4.0 compliance measures is an all-hands-on job. If these new requirements are to be successful, they need top-down support and buy-in from department heads that can really make a difference. Anecdotally, the security team owns technical requirements. Architects are good “how to” teams that can lay out how exactly these new security measures should be infused throughout the organization’s security systems. CISOs are great for board-level support (obviously) and lead the cultural charge (believe it or not). If you are to be audit-ready, all departments need not only a directive, but a player – and some skin – in the game.
- If you are to be audit-ready, changes need to be infused across the daily architecture of each team’s way of operating. If you are to be audit-ready, changes need to be made not only in policy, but disseminated throughout systems, and if those changes are stopped at the department door, your whole PCI 4.0 overhaul is missing a piece and no longer entirely compliant. If your compliance has holes, is it really compliant? Top-down and side-to-side buy-in is key to really disseminating PCI 4.0 policies and making them work. In this world, security siloes, and compliance-in-a-vacuum are the antithesis of the way forward.
- Make reporting a daily habit. As you move towards PCI 4.0 compliance, there will be a lot of measurable steps you take. Don’t just measure them, record them. Every training, every all-hands meeting, all your phishing campaigns, all your scoping, your data discovery – every effort in that direction needs to be recorded, and not just once. If it’s not already a habit, this needs to become part of the daily walk of your organization from now on. These accountability checks should be part of the organizational responsibility of each department and sewn into the policies that go along with any PCI 4.0 activity.
Part of impressing the auditors is being effortlessly, flawlessly prepared. This kind of preparation is not born in a day, or a two-week stretch. PCI 4.0’s business value needs to be understood, comprehended by the right stakeholders, and integrated into the day-to-day operations of your enterprise in order to make them long-lasting and effective.
It’s said that an experienced auditor has to only ask a few questions to judge the readiness of an organization. Those who follow the principles of PCI 4.0 to the point where they’re ingrained in policies company-wide have nothing to fear when it comes to audits, and can look forward to not only pleased auditors, but safe customers and a protected revenue stream.
To better understand how you are progressing toward PCI DSS 4.0 take our quiz and receive a free tailored report, with tangible next steps, for you and your team.