Alicia Malone: Welcome to our podcast series, Coffee with the Council. I'm Alicia Malone, senior manager of public relations for the PCI Security Standards Council. Today we'll be talking about the much-anticipated release of version 4.0 of our PCI Data Security Standard, or DSS. In addition to the timeline and some key highlights, we'll be discussing what you need to know to prepare for PCI DSS version 4.0 transition training. My guests for this episode are Kandyce Young, standards development manager at PCI SSC, and Tom White, training content manager at PCI SSC. Welcome to both of you!
Kandyce Young: Hello, thank you for having us.
Tom White: It is good to be here. I've got my coffee ready.
Alicia Malone: Excellent. Well, Kandyce, I want to start with you. Can you walk us through the current timeline for PCI DSS v4.0?
Kandyce Young: So, right now we're in the stakeholder preview period. So that's PCI DSS v4.0, the draft available in our portal to Participating Organizations (PO), Approved Scanning Vendors (ASV) and Qualified Security Assessors (QSA) via a non-disclosure agreement. And that will be removed once the standard is published. The preview that we did provide, it did undergo a few minor changes. Once you see the final version of the standard, let that be the source of truth. I think I just want to make that point. The final version of the standard will come out at the end of March, along with the Summary of Changes document, and the Report on Compliance template and Attestation of Compliance documents. The Self-Assessment Questionnaires will be following shortly after. And the standard and Summary of Changes will be translated into several languages really to support the fact that PCI DSS is global.
At the end of March into June, we will see translations of those documents. The supporting documents, as well as training - we're looking for a June release - and these supporting documents include the Prioritized Approach, Quick Reference Guide, a variety of new FAQs - many of which were developed in response to RFC feedback - and we'll also be including a document that includes a lot of tips and tools for navigating all of the new bits of PCI DSS v4.0. So, all of that will be available in June.
Another thing coming in June, which I think is really exciting, is the PCI DSS v4.0 Online Global Symposium that comes out June 21st. And just as the title states, it'll be online, and it will be global. We are working out the details right now, so, I can't say too much. Just note that our goal is to make sure that we cover all of the new things in PCI DSS to make sure that all entities and assessors feel prepared, sufficiently informed, and knowledgeable about all that PCI DSS v4.0 has to offer. So, everyone has the tools to get through a successful version 4.0 assessment. That's what we have coming down the line for the next few months.
Alicia Malone: Now, what happens once PCI DSS v4.0 is introduced? Will there be a transition period from the current version of PCI DSS v3.2.1?
Kandyce Young: PCI DSS v3.2.1 and v4.0 will both be active for approximately two years, starting at the end of this month, when v4.0 is released, until the retirement of v3.2.1 on the 31st of March 2024. Once training becomes available to assessors in June, assessors can start assessing their entities against v4.0 or v3.2.1. Tom will talk more about this in a moment. This transition period will really allow organizations to become familiar with and build and develop resources necessary for the new v4.0 requirements and reporting template. Once the 31st of March 2024 arrives, v3.2.1 will be retired, and then you will only be able to assess against v4.0. Entities will then have additional time - an additional year in fact - until the 31st of March 2025, before the future-dated requirements come into effect as part of a v4.0 assessment.
Each of these future-dated requirements will be noted in the standard as best practice until the 31st of March 2025. Entities are not required to validate against those until the date has been reached. As I mentioned, there will be a Summary of Changes document published with the standard in March, that will list all of the new requirements and their effective dates. So, it'll be a good resource for entities to keep on hand. To sum that up, v3.2.1 and v4.0 will both be effective for two years. The 31st of March 2024 is when v3.2.1 retires and v4.0 will be the only version that you can use. Then, on the 31st of March 2025, the future-dated requirements for v4.0 come into effect, and the full standard must be assessed against.
Alicia Malone: So, during this transition will both v3.2.1 and v4.0 material be available online?
Kandyce Young: So, this is a great question and the Council is currently working out the process to review how all of these FAQs, information supplements and other related v3.2.1-specific material are going to live on our website, along with v4.0.
It remains a priority for us to make sure that we continue to provide support for both versions. So, the answer to that is stay tuned; we're working on how to do that. We recognize that there may be an instance where there's two distinct versions: v3.2.1 and v4.0.
Tom White: Oh, so... wait, you just made me think about that, Kandyce. So, we're talking about, every FAQ that is specific to a requirement, if that requirement changes, then we'll still need it, right? I'm just getting this straight in my head. We'll still need the v3.2.1 FAQ, because v3.2.1 of the standard will be live, but then we'll also need to be able to support whatever maybe has changed in v4.0. So, does that mean that we, the Council, have to go through everything on the website to work that out?
Kandyce Young: Oh yes, Tom. You're exactly right. And yes, you probably will help with that. We have to go through every single document, all of our information supplements; we've got a plethora of guidance documents and will go through each of them to make sure that whatever is applicable to v3.2.1 it specifically states as such. And if we need an update for v4.0, we do that accordingly. So, it'll be an effort, but it's definitely something that we're looking to do shortly.
Tom White: All right. Thanks for that.
Alicia Malone: So, Kandyce, what are some of the key highlights of v4.0? What can assessors and other industry participants expect to see?
Kandyce Young: Well, in addition to a plethora of new requirements, you'll have to wait for publication to see. What I can say is that we definitely listened to the needs of the industry through the RFC process - we've had three of them for PCI DSS v4.0 - and through other stakeholder information gathering opportunities. The direction of v4.0 has certainly been impacted by all of this feedback. And, as a result, we've added new guidance on areas such as third-party service provider relationships, or even how PCI DSS v4.0 supports the newer Software Security Framework. We've even included a dedicated section called “Description of Timeframes”. And that's used to provide a description of all of the timeframes used in requirements because we are often asked questions like, “what does quarterly mean”?
Tom White: That's really cool for me because, in training, it sounds really funny: I never thought in my life I would be speaking to a class of people about what “quarterly” means, but it does come up because it can impact the way an assessment is done or the way requirements are interpreted. So, from my selfish point of view, I'm really pleased to have some of these descriptions of timeframes documented. So, sorry. Carry on.
Kandyce Young: No, no. That’s great, Tom. So, it's important to know, in v4.0, we added that in there and so entities can definitely have a look at that to make sure it is applicable to their implementation for v4.0. And the last bit I'll mention is actually about providing flexibility. So, we've heard about the concept of the Customized Approach. And that was added by the Council to allow for innovative technology in the payment industry. The Council developed it as an alternative to the traditional requirement validation approach.
Once the entity makes the determination that they will use the Customized Approach to meet an objective of any requirement, instead of following the requirement as stated, they perform all of the associated steps, the assessor must then derive their own testing to determine if the requirement is, in fact, in place. So those guidance updates, in addition to some of the updates we've made to the validation documents that you'll see, refreshes to align and clarify content throughout the ROC reporting template and Attestation of Compliance documents. Those are some of the really great things you can see in v4.0.
Alicia Malone: Well, this is great information. It sounds like there will be a lot to digest with this new version and that training will be very important to understanding all of the changes to PCI DSS v4.0. Which brings me to you, Tom. For the assessor community, what happens when v4.0 is released?
Tom White: All right. So, as soon as the new version comes out, we're in this period of time, when we have two active versions of PCI DSS. So, like everybody else in the industry, I'll be making sure that I understand what I think v4.0 means - and, luckily, I'm working at the Council, so I've got the inside edge on that - but in that period of time, organizations get to choose which version of the standard to use for their assessments, whether they want to stick with v3.2.1, which is what they've been using up until now, or whether they want to move onto v4.0. But, whichever one they choose, they have to use that same version throughout the whole of their assessment. You can't pick a requirement from v4.0 and then one from v3.2.1. So that's important to know.
The v3.2.1 assessments will continue as normal, and they shouldn't change after the release of v4.0. New assessors - so if you wanted to become a QSA or if you are requalifying - that training is going to continue to be v3.2.1 pretty much throughout this year until we start updating those courses probably early next year. So, any new assessors will be trained in v3.2.1. And this is kind of important because v3.2.1 is still going to be active for two years. So, knowing those requirements and how those assessments work is going to be pretty important. For the first few months after the release of v4.0, we in the training team are going to be completing the build of a transitional course to teach assessors the differences between v4.0 and v3.2.1. So that's our priority from now until June.
Alicia Malone: So, when can assessors begin performing PCI DSS v4.0 assessments?
Tom White: Yeah, that's a goodie. So once v4.0 is live, we at the Council, we'll still be finalizing some associated reporting documents that make up part of our training. So, once everything's been properly completed, then we can complete the transition course, right? But we can't build that until everything's kind of done and dusted, otherwise we won't be able to explain what's going on. So, there'll be a gap of probably about three months from the release of v4.0 until the training and associated exam are completed and made available to assessors. So, in June, most likely there'll be transitional training and an exam available for assessors. And again, this is to go over and make sure that people understand the changes to the standard, and the reporting documents, and any other ways that assessments work. So once an assessor has completed the training and taken the exam, then they can start to do v4.0 assessments.
So QSAs have got to have taken the training and passed the exam before they go and do an onsite assessment of v4.0, okay? And, something else worth noting: once they pass the exam, their listing on our website will reflect that the QSA is eligible to perform assessments against v4.0. So, there's going to be an extra kind of flag or detail against the assessor. It's slightly different for ISAs. So, the ISAs - it's a recommendation - and they're encouraged to take the v4.0 transitional course and associate exam before doing an internal assessment. All of our other courses - because we've got loads that are impacted by PCI DSS updates - they are going to be updated throughout 2023, most likely. I mean, we're doing the work now, but we're talking about making sure it's going to be available for people probably throughout 2023.
Alicia Malone: Let's talk more about that course that is being designed. What type of training will be offered and what type of exam will be required?
Tom White: Yeah, so the transitional training will be a computer-based training course. So, that'll be taken on a laptop or some kind of computing device at the pace of the learner. And it's going to cover all of the different changes that have been made to the standard, and the reporting document, and how testing works. There's a whole bunch of new things in v4.0. And Kandyce mentioned a few of them earlier on. And we've got to try and ensure that the assessors understand what those changes are, add a little bit of extra information around the rationale about why the changes have happened, and how those changes to the standard will impact on assessments. I thought actually up until last week I was under the impression that the exam for QSAs would be a proctored exam, but this is untrue. I was wrong. I'd been given incorrect information. I got this wrong on an assessor webinar as well. So, the associated QSA exam will not be proctored. It will be delivered online through the portal. So, the portal is where you'll find that.
Alicia Malone: Is there a fee associated with the transition training and the exam?
Tom White: No. There's nothing on top of the regular QSA fees. So that's all covered already. So no fee for the transition training or exam.
Alicia Malone: Will there be prerequisites for PCI DSS v4.0 training?
Tom White: This transitional course is only for assessors. So, if you are a current assessor - either a QSA or an ISA - and you are in good standing and listed, then it'll be available for you. There's no prerequisite course or anything like that and again, I'm going to reiterate that new assessor training and requalification training will continue to be against v3.2.1 until we update those courses next year, okay? So, the path for say, a new assessor in October, let's think about that. In October, if you are doing new assessor training, that will be v3.2.1, and then the transition course that I've just been talking about will be made available after the assessor passes the v3.2.1 and the exam. So, that's how that's going to work.
Alicia Malone: This has been such a helpful conversation today. Thank you both so much for joining us. Where can our listeners go for more information about what they heard today?
Kandyce Young: Well, it's really been a pleasure to be on this with you, Alicia. Thank you so much. And we can't wait to share more about what PCI DSS v4.0 has instore. We've been working so hard for so long on this, and I can't wait to share it with the world. And we will be able to do that at the end of March. But, until we do, in the meantime, you can subscribe to our PCI Perspectives blog and get all the latest information about PCI DSS v4.0. Actually, on the 25th of February, we released our latest blog about PCI DSS v4.0 and it highlights the timeline detail that I've mentioned moments ago. So, stay tuned on our website.
Tom White: Yeah. From a training perspective, we'll put information about the transitional courses on the website. So, the website is always the place to look. And also, I'll reiterate there's going to be a staggered change to the courses. So, they're going to stay v3.2.1 for a while. So, if you are signing up to a new training course, then it's well worth looking on the website to make sure you understand whether it's been updated to v4.0 or it's still in v3.2.1. So, I definitely recommend hitting the website to find that.
Alicia Malone: So, before we wrap up, Kandyce and Tom, are either of you coffee drinkers?
Kandyce Young: Oh my, yes indeed. It's literally the best part of every morning for me. I usually have it black, but if I'm feeling a little adventurous or I'm recording a podcast, let's say, then I add a splash of almond milk to kind of spice things up. So, I did that this morning.
Tom White: Oh, almond milk. I don't think I've tried that in coffee. I've done some experimentations with different types of milks. This is not very interesting to most people, but to me, I currently take an oat latte. So, I'm on oat milk. And when I first tried oat milk in a coffee, I didn't really like - I mean, it wasn't horrible - but it definitely tasted “oaty”, right? I mean, it's in the name. And I didn't think I would stick with oat milk, but then I did. Then, at the end of that period of time, I had intended to go back to cow milk. But when I went and put cow milk in my coffee, it really tasted of cow. And that sounds weird, right? And if you haven't noticed this, if you've kind of had a lot of dairy products, I was not expecting it to be like quite as “cowy” tasting as it was. So, I am stuck on oat lattes. And, oat is pretty good for a coffee, because it doesn't separate. Soy lattes: I've tried that for a bit, but soy separates. So anyway, that's enough about my coffee drinking. Oat latte is what I'll have if you come for a coffee with me.
Alicia Malone: That's fantastic. I love that. Well, thank you both for being on Coffee with the Council today, and we look forward to learning more about PCI DSS v4.0!
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor or Pocket Casts. Coming soon, the podcast will also be available on Apple Podcasts, Breaker, Google Podcasts, and RadioPublic.