Welcome to our podcast series, Coffee with The Council. I'm Alicia Malone, senior manager of public relations for the PCI Security Standards Council. Today we'll be talking about resources and upcoming engagement events pertaining to the recent release of version four of the PCI Data Security Standard, or PCI DSS. My guests for this episode are Elizabeth Terry, senior manager of community engagement at PCI SSC and Lindsay Goodspeed, senior manager of corporate communications at PCI SSC. Welcome to both of you!
Elizabeth Terry: Thank you. It's really good to be here.
Lindsay Goodspeed: Yeah, thanks for having me.
Alicia Malone: So, the 31st of March was a big day for the PCI Security Standards Council and the global payments industry. It was the official release date of PCI DSS v4.0, a standard update that has been several years in the making. What has the reaction been from industry? Elizabeth, let's start with you.
Elizabeth Terry: Awesome. So, the feedback we received from the payments industry around the world, over the course of the last three years, really drove the changes to the standard itself - and, and as we've said before, we've had more than 200 organizations provide over 6,000 pieces of feedback, which is a tremendous amount of feedback - and the process ensured that the standard continues to meet that complex ever-changing security landscape of payments.
And now that it's published, we're receiving a lot of really positive feedback from our assessor community and from our Participating Organizations and those who were involved in that feedback process. And they could really see within the standard where we really very carefully considered all the feedback that we received.
And I've seen several very interesting blogs about the excitement around the “Customized Approach” because that has provided greater flexibility for those more mature organizations that have to comply with PCI DSS. And I've also seen a few posts praising the addition of definitions around the timeframes in PCI DSS v4.0 like “immediately” or “periodically”, and that helps assessors and organizations better understand if they're meeting the requirements that call for an update say immediately, for instance. And the excitement has been palpable. I've seen people really geeking out over the release of the standard and actually getting their hands on it, and it sort of reminds me of folks that are waiting for like that next edition in a book series or that next evolution of a game they're interested in.
Lindsay Goodspeed: Yeah, I'd agree, Elizabeth. I've been seeing a lot of really great feedback from the industry since the standard has been published just a couple weeks ago. Everything from really positive trade press coverage to positive reactions on social media and supportive of the new version of the standard. It's truly a testament to the hard work that the global industry has dedicated to making sure the standard meets the needs of the industry and it continues to evolve and address all the changing threat landscapes to global payments.
Alicia Malone: We know that educating the payments industry on all of the new requirements for PCI DSS v4.0 is a really important undertaking. What is the Council doing to help drive understanding about the new standard?
Elizabeth Terry: Yeah, Alicia. So, from an education and engagement perspective, we've been keeping everybody up to date with our newsletters and then various segments that we have on our quarterly and our biannual webcasts for all assessors, PCI Professionals and others that are in our industry and also participants in our programs. However, if you haven't registered yet for the upcoming second quarter webcast, there is still time. The All-Assessor webcast will be on May 19, and the PCIP webcast will be on May 25. And then we have our first biannual Qualified Integrator and Reseller (QIR) webcast on June 1st.
And we've also been really busy as guests on webinars at events and other speaking opportunities around the globe. And our industry relations team has been busy since the day PCI DSS v4.0 dropped, speaking to audiences in Europe, India, Brazil, and across the globe. So, you can still find some of those events that they spoke at on LinkedIn and Twitter, if you're interested in listening to those replays - and I do recommend that - and we know that we're just getting started.
Another thing I also just wanted to remind everybody that our training team has been very busy creating the transition training for the QSAs and the ISAs to learn all the things about PCI DSS v4.0 and that training is still set to be published in June. And it will cover the standard, the reporting templates, the new Customized Approach, and so much more. And we're excited to get this developed and into the hands of our assessor community because that transition training has been priority one for trainers, since as a QSA, they must be trained and pass the exam before they're able to perform any PCI DSS v4.0 assessments for an organization. So, we want to get that training published. And yes, the training and the exam are free and included with your qualification. And then for anybody else who is wondering about the other training for programs that might have been impacted by the changes to the standard, the updates for training to those programs will follow the release of the transition training in June. So, stay tuned. It's coming.
Alicia Malone: So, Lindsay, from a communication standpoint, you've been heavily involved in the creation of new resources pertaining to PCI DSS v4.0. Can you tell us a little bit about what these resources are and where we can find them?
Lindsay Goodspeed: Sure. Happy to. I've been with the Council for about eight years and one of the challenges I have as a communicator is making sure that I'm meeting the needs of the Council's many different audiences. So, from assessors to merchants and acquirers, we have so many different stakeholders and each of those stakeholders have a different need so it's my job to make sure we're creating resources to educate all of our different audiences.
So, one thing that we did with the launch of PCI DSS v4.0 is we created what we're calling a “PCI DSS v4.0 Resource Hub”. So, this Resource Hub is located on the PCI Perspectives blog, and this is a centralized location which provides links to all of the DSS v4.0 standard documents as well as educational resources aimed to help organizations become familiar with the standard. And again, you can find this on our PCI Perspectives blog. So, on the Resource Hub, like I said, we have links to the Document Library, where you'll find all of the DSS v4.0 standard documents: the PCI DSS v4.0 standard itself; you'll find the Summary of Changes from PCI DSS v3.2.1 to version 4.0, as well as all of our reporting templates.
In addition to the actual standard documents on that Resource Hub, we have all of our educational resources. So, for example, we created a great video - “A First Look” is what we're calling it - and this video features four of our colleagues, and it's a really great discussion where they go over specific changes in the standard, they discuss how the standard was developed, as well as information on implementation timelines. So, I definitely recommend watching that video. It can be found on that Resource Hub, or you can watch it right on the Council's YouTube page.
In addition to that video, we have what we're calling an “At-A-Glance”. So, this is a two-page document. It provides a quick overview of what some of the changes are to the standard, what the goals we set out when making these changes to the standard, and how we met that. We just give some examples of what some of those changes are in that “At-A-Glance”.
Another item in that Resource Hub is an episode of Coffee with The Council. So, I believe it's the previous episode. So, after you're done listening here, I recommend to check out that episode. It features Standards Trainer Tom White and Standards Manager Kandyce Young and they talk about changes to the standard, and Tom specifically talks about some information for assessors on what to know for training for PCI DSS v4.0.
So, I definitely recommend that you bookmark this page. This is going to be regularly updated as we continue to create resources to help the community become familiar with the standard. Now that the standard is launched and people have had some time to review it, we know that we're going to get additional questions and my goal, as a communicator, is to help answer those questions and we'll continue to create additional resources to help the industry and those resources will live right there on that Resource Hub.
Alicia Malone: Those sound like really helpful resources for the industry. It has also been announced that the Council will be hosting a dedicated event for the payments industry, just to hear about PCI DSS v4.0 exclusively. Can you tell us a little bit about this event, Elizabeth, and when it will be?
Elizabeth Terry: Absolutely. Happy to do that. So, we're very excited to be able to bring the PCI DSS v4.0 Global Symposium to the industry. Now, the event is scheduled to open on Tuesday, the 21st of June at 9:00 a.m. (EST), and then it will be available on demand until Tuesday, the 30th of August, ending just before we get out for the North America Community Meeting in mid-September. And the Symposium is going to cover a lot of ground and likely answer a number of your hot burning questions from like the new multi-factor authentication and e-commerce requirement updates to what is “in place with remediation” exactly? Or perhaps, “what's the difference between a Defined Approach and a Customized Approach?” So, the sessions will take you through the changes to the Self-Assessment Questionnaires for merchants and service providers, prepping you to move to PCI DSS v4.0, and how to tell if your QSA and their company are qualified to perform your PCI DSS v4.0 assessment. It's going to be jam-packed with a lot of great information for participants. And because it's open until the end of August, you could watch it over and over again. Or, if you happen to be on holiday when it goes live, you could watch it when you get back in the office.
We have been asked who can attend a Symposium? And the Global Symposium is a benefit open to Participating Organizations, Qualified Security Assessors, or QSAs, Approved Scanning Vendors, ASVs, and Internal Security Assessors or your ISAs. And again, the event is completely free for eligible participants. It's fully online, and you can register by visiting our Events section on our website, and then clicking on the button for PCI DSS v4.0 Global Symposium. And I hope to see everybody there.
Alicia Malone: It sounds like there is a lot of great information available about PCI DSS v4.0. Is there anything else you'd like our listeners to know?
Elizabeth Terry: Oh yes. Our Community Meetings are back live and in-person, both in North America and Europe, with the caveat that, subject to changes, we watch out for the health and well-being of all of our participants. So, North America is going to be in Toronto, Ontario, Canada on the 13th to the 15th of September, and Europe will be the 18th to the 20th of October in Milan, Italy. And we have received so many amazing submissions for speakers so, they’re going to be absolutely incredible. Registration is going to open very, very soon and more information can be found on our website on our Events page.
Lindsay Goodspeed: Yeah. I'm so excited that our Community Meetings are going to be in-person again. It feels like it's been years since we've all come together in-person. So, looking forward to that. I just also wanted to add, if you haven't already, I definitely recommend to subscribe to the PCI Perspectives blog. That blog is really a core area where we update all of our Council news, so be sure to subscribe to that channel as we update that very regularly.
And, if you don't already, please follow us on Twitter and LinkedIn. And again, just a final reminder, I definitely recommend if you want to stay up to date on everything related to PCI DSS v4.0 to bookmark that PCI DSS Resource Hub as we will be updating that with new resources as they become available.
Alicia Malone: So, before we wrap up, I'm going to assume that coffee played a leading role in your lives leading up to the launch of PCI DSS v4.0?
Elizabeth Terry: How did you guess? Yeah, and I know this is where we're supposed to talk about how we take our coffee. And I'd like to say that I'm like a simple coffee drinker, but I think people would classify me as one of those, you know, “fancy drink” people. I do like a good pour-over and I have a very nice pour-over carafe, but it's always only me drinking the coffee. So, I have a portable, travels with me everywhere, single cup pour-over that I like. And then I like to put a coconut creamer in there with a little dash of cinnamon.
Lindsay Goodspeed: I have to say, Elizabeth, I think I'm probably on the opposite spectrum as you. I am pretty simple. I drink my coffee black, and I live in New England, so I'm a Dunkin’ Donuts girl and I like to keep it pretty simple.
Alicia Malone: That's great, I love that you both are on opposite sides of the coffee spectrum. Well, thank you both for joining me on Coffee with The Council. It's been a pleasure having you.
Elizabeth Terry: It's been a pleasure being here and thank you, Alicia.
Lindsay Goodspeed: Yeah. Thank you for having us.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor or Pocket Casts. Coming soon, the podcast will also be available on Apple Podcasts, Breaker, Google Podcasts, and RadioPublic.