In this episode, Retail & Hospitality ISAC podcast host Luke Vander Linden is joined by co-host Alicia Malone, senior manager of public relations at PCI SSC, Kandyce Young, manager of data security standards at PCI SSC, and Tony James, director of cyber security at Target to discuss the rollout of PCI DSS v4.0. Questions relating to the rollout? Register here for the RH-ISAC and PCI DSS v4.0 webinar on May 25 at 3 p.m. ET. More information about PCI SSC and the new version of PCI DSS v4.0 can be found on the following resources page.
Luke Vander Linden: As listeners of the R&H ISAC podcast know, I'm Luke Vander Linden, Vice President of Membership and Marketing at the Retail and Hospitality ISAC, and I'm the co-host today because we have another host with us, Alicia Malone. Alicia.
Alicia Malone: Hi, Luke. It's so great to be with you today. I'm Alicia Malone. I'm the Senior Manager of Public Relations at the PCI Security Standards Council. And this is a special episode indeed because this is actually the first time we've done a co-host opportunity with a third-party stakeholder. So, we are so excited to be here today.
Luke Vander Linden: Yes, we're excited too, and we hope this goes well. I think it's good. It's going to be good to work with you. Alicia and I have each brought a guest of our own to this segment. My guest is Tony James, Director of Cybersecurity at a long time R&H ISAC member, Target. Who did you bring, Alicia?
Alicia Malone: I have Kandyce Young with me. She is the manager of data security standards at the PCI Security Standards Council.
Luke Vander Linden: Excellent. Welcome to you both. The rollout of PCI DSS v4.0, is something that's been in the works for a while, but if you haven't been paying attention to it yet, frankly, there's no time like yesterday. So, just as a means of setting the stage, we've seen a significant increase in POS malware just over the last two or so years, right? And I know at least in our sharing communities, we've seen increased interest in skimming activity overall, but more specifically around tactics like using cloned cards and getting cashiers to bypass chip-enabled security. And of course, they're creating cloned cards using stolen card data captured via skimming devices installed inside of gas pumps, ATMs, point of sale devices. So, I guess Tony, let's start with you. I guess these and other threats are what PCI DSS v4.0 is trying to address.
Tony James: Yeah, yeah, thanks for having me, folks. Definitely, PCI DSS v4.0 addresses some of these concerns and, as a retailer, we're definitely seeing some of those risks related to digital skimming. And like you said, trying to force beyond the chip-enabled readers in the stores.
It's actually cool, one of the things that Target rolled out, and it's actually open source, is a tool called Easy Sweep to help some of those team members for any retailer that wants you to check those gas payment devices, the point of interaction devices, to actually ensure that there are no skimmers or digital shimmers in there as well. And so that's something we've worked on to help both Target and the industry. Beyond that, digital skimming is definitely a concern. We've also open-sourced a tool called Merry Maker that anyone can download and leverage. Feel free to reach out as we can provide some, the Git repo and stuff, to just access that and see how it would work for your organization to protect against digital skimming. These are probably two of the most prevalent payment security related issues that retailers are facing these days. And that's what we've tried to help the industry and provide those solutions that can work for everyone.
Kandyce Young: That's really good, Tony. I think because PCI DSS from its inception was really about fostering the broad adoption of consistent data security measures all around the world. So, the new version of PCI DSS, we needed to make sure that it evolved to align with the evolution in payments, right? So, a lot of the areas that the new version focuses on, you know, flexibility to implement technology, but also meeting the security needs of the payments industry, tackle those exact items that you discussed. Because we had open RFC comments for our stakeholders, we got over 6,000 comments about how organizations are looking to better secure their environments and what we need to do to help them achieve those better security practices. So, with all of those comments, that really drove the evolution and the focus we have on PCI DSS, right? So, we've got stronger encryption, more complex authentication, and the e-commerce skimming that you mentioned. So, prevention and detection are key aspects, as well as anti-phishing support, because we know a huge social engineering tactic is phishing. And so, we've brought in the technical and awareness components to really drive that home to support our stakeholders.
Alicia Malone: So, Kandyce, for retailers who are new to PCI DSS v4.0, what should they do to start implementing it in their own payment environments?
Kandyce Young: The first thing I would say is read the standard. I mean, we've got an extensive amount of guidance, best practices, and we really drill down into the why and provide a lot of examples. I mean, that's why the standard itself has become about three times the size that it was in version 3.2.1, not because of the new requirements, but because the feedback from our stakeholders told us that they wanted clarification, they wanted additional context, and so we provided that in the standard. So read that to really help you understand the requirements, new and updated, and how they impact your organization. So, we've included several new concepts that I think organizations should really look at when they're starting to implement. So, the Customized Approach, right? That is a new way to meet PCI DSS requirements to really help support innovation in the industry. We've got targeted risk analysis, right? So, we've done away with the formal organization-wide risk assessment and we're looking at requirements and the specific controls that address security concerns, and looking at how the business addresses their risk to help mitigate the impact of any of those issues. So, we've got network security controls, as well as we have the general term of third-party service providers, or TPSPs as we call them, to really wrap in general support for the service provider and merchant communications.
So, I'd say, you know, look into the targeted risk analyses to really help understand how you can meet those requirements to help, let's say, determine the frequency you want to check for systems not at risk for malware in your system. Well, we offer flexibility to do that. So, make sure you perform the targeted risk analyses and go to, I think it's requirement 12 that offers details on how to properly perform that.
Another thing I would say is don't let your version 3.2.1 controls slip. I mean, stay strong with your existing controls because we know, yes, it is a point in time assessment, but the goal is to make sure we perform security as a continuous process throughout the entire year. And even if you do complete an SAQ, which I know some of the retailers do, still review the guidance and the standard because it's equally applicable. We've included considerably more guidance in the standard that may not have made its way to the SAQ, so make sure you read both documents in their entirety.
Luke Vander Linden: So, Target, ahead of the game as usual. So, Tony, when you were implementing this, what was the biggest realization that you came to and how did you start?
Tony James: Yeah. So honestly, our biggest realization, Luke, was not to overthink it. So, where Kandyce said, read the standard first, I totally agree. I was going to say, I completely agree that it's the right place to start. A lot of people jump right to looking at webinars or asking industry experts. And I'm going to get to that. That is absolutely something you should do, but first understand the impact it has to your organization. Kandyce said it really, really well there that the first thing is to read that and understand how it impacts you because oftentimes, if you jump right to what other people are saying, you're going to be focused on the wrong things. A great example would be digital skimming. For us, like that is a huge new component in PCI DSS v4.0. It's not as impactful actually to Target. We already had a solution in place. It was a risk in the industry that we were facing, and we had a solution there that we could just say, okay, that's our thing now. It's not a significant impact to us. It's still super important. A lot of evidence we'll have to gather. It's a new thing but it's not necessarily going to be a huge obstacle or a huge new thing for us to attain. There are other things in there, multifactor authentication or authenticated scans. Those are definitely new in the industry and also somewhat new to Target. And so, there'll definitely be some lift there, but that might not be the case for other organizations. I've definitely talked to some peers out there who have said, “You know what? I already was doing multifactor twice, so it's not a big deal.” That totally makes sense. But if you just look at what's happening in the industry and what they're talking about, you might be focused on the wrong things. So, read the standard first.
Alicia Malone: Kandyce, do you have any tips on how companies can prepare for this transition?
Kandyce Young: Yeah, most definitely. In addition to reading the standard, we did publish a Summary of Changes document. And so that is really, really helpful to give you an idea of what was in 3.2.1 versus how it's kind of been modified in version 4. And it also includes a full list of all of the new requirements added to the standard and when they will be effective. So that is the first resource that I would say. And actually, as Tony was mentioning, you're prioritizing your remediation activities, right? He was already meeting certain requirements. So now they're able to have the opportunity to reallocate resources to maybe other areas where they may not necessarily be meeting the appropriate controls for PCI DSS v4.0. It's important to have that understanding first, right? To be able to kind of reallocate those resources. I would say, preparing for the transition, another thing is understand the validation options, right? Because as I touched on, we have the Customized Approach, right? And so that is really to help support cutting edge technology that organizations may be using. But it's really important that if you're going to embark on that journey of the Customized Approach, start it as early as possible because there's an additional documentation and support required to really help to not only implement but maintain and secure those innovative controls. So, we've got quite a few blog posts on this very topic, the Customized Approach, on our website. So, I would say that is a great reference to look at it for organizations wanting to understand a little bit more about that. And I would say document your steps and inventory your components because it's often overlooked. Establishing policies and procedures, sometimes they're quite time consuming and you may not know you're missing steps until your assessor lets you know, right? So, in order to support the ongoing consistent implementation of these security controls, document and inventory, because part of the new standard, you've got to inventory bespoke and custom software, cryptographic cipher suites, trusted keys and certificates used to protect PAN that's in transit. So, we've got a few materials on our website to really help support this transition. So those are the things I would say to start with helping this transition.
Kandyce Young: Tony, I know you've got some things to say about that. How have you guys really helped to prepare for this transition? I know you engage quite a few trusted experts.
Tony James: We did, and so I appreciate that, Kandyce. Yeah, I think you nailed it in saying that the first thing to do is to understand what is right for you in digging and even understanding what the different ways to validate your compliance are. So, the first step for us really was after we understood the requirements, I think the document you referenced there where you can, you're talking about what the big changes were is great.
What we did then was actually look back at version 3.2.1 for what requirements had changed and compare, like what was it that changed within their requirements? We could really know like, is it just a wording change that was significant? Is it a brand new requirement? What was it about that clearly changed? That helped us drive how big a deal it really might be. And once we really understood which some of the biggest requirements were, I know that the Council does a great job saying there's like 64 new requirements. And for us, it's 64 plus then nine or so that were significant changes. So, we have 75 new or significantly updated requirements that really applied to us. The key then was understanding how big a deal are those and really categorizing those and then talking to those trusted experts. We've started going down this path. This is what we think the big changes are. Are we missing anything? And that's where you engage your QSA. That's when you engage some of your benchmarking.
Some of you might know, I have a number of groups that I benchmark with, both within Retail and Hospitality ISAC, and I have a couple other benchmarking groups that I facilitate myself just to make sure that we are really aware of what's going on in the industry and what other people are saying about these. I would say there were about 74 other requirements that we nailed and then there was one like, oh, that's an interesting point that someone brought up and I forget which one it was. But it was just really helpful for us to realize that we were pretty much on point for everything and then there's one new thing that we missed. Then we talked with our QSA after that benchmarking and watching the webinars and talking to our peers. And that's when I realized actually for a couple of them, we were over indexing. They're like, hey, you know, you're saying this is a big change for you. Based on all these things we know about you and the evidence you've provided already in the past, that's actually probably not a huge lift. If you just do this, that's probably going to be good enough for us to understand or meet this requirement. So that was super helpful for us to engage those two different groups to make sure we understood what the impacts were and how it really would impact us.
Kandyce Young: And you know what else I would say, too, which I found through some feedback we've been receiving is sometimes if you are engaging or beginning with new technology - like Tony, you're in a great position - but other organizations may have had a huge lift on some of the technology that they've had to incorporate into their environments. And one thing I would say, too, in addition to trusted experts, is training your internal staff. So it's important to make sure that when you add any new technology to your environment, or you're making any updates in response to PCI DSS v4.0, let's say, making sure that your staff is aware and up-to-date on what's happening and they're trained on that so that if there are any issues in the future, you already have in-house experts to help support that. And I think other organizations can maybe benefit from that knowledge. I'm sure, Tony, that's something you're already doing with your great staff, but I think it's so important for others to be aware that “hey, we want to do cutting-edge technology.” That's great. So, make sure we have people on staff to support us if in fact, maybe the new technology is not addressing all of the system components it should or it's malfunctioning. So, make sure you have that, those trusted experts internally, before the assessment begins.
Tony James: Yeah, I agree. That kind of brings me back to the other point you mentioned earlier on validation and using the Customized Approach. First of all, I really want to applaud the Council for implementing this. I know they did a lot of work with the industry to understand what the industry wanted here and how to make it come to life. And so, I applaud you for making it a reality. That said, I think it's a great point to call out for those of you who haven't dug in a lot. It will be a lot of work. Don't go in thinking, “oh, great, I'll do this Customized Approach, and that'll be less work for me in the end. And it'll just make this whole process easier.” There's some realization that it probably could make things easier for your business or easier for your technology experts at the end, but there's going to be more pre-work ahead of time working with your QSA and working internally to understand exactly what those controls are, doing that targeted risk assessment as you referenced, and preparing to evaluate a control that you're creating to meet this requirement. I want to make sure everybody is really aware of that; that it's a great option, but it does not mean lots less work.
Kandyce Young: You're so right, Tony, because I think the Customized Approach was really developed for risk mature organizations that have a strong framework and strong resources. They can really associate or provide strong resources to help support the implementation, but also the long-term efficacy of those controls. Because you're right, there's a lot of documentation involved. But for organizations that want to, you know, do some sort of modern malware protection or anything else that's really exciting with evolving their network segmentation, then there's certainly a space to do that.
Alicia Malone: A question for both of you, and I'll start with Kandyce on this. What is the most important thing that you want retailers to take away from this podcast regarding PCI DSS v4.0? I know that our timeline is getting closer, and I wondered if you could just speak to that, Kandyce, and some of the really important things that they need to know going into this.
Kandyce Young: Well, start now, right? So, PCI DSS v3.2.1 retires on 31 March 2024. So that is right around the corner. So, after this date, it's PCI DSS v4.0 assessments. We do have some additional best practice requirements that are now future-dated, and those will take effect on 31 March 2025. But it's important that you perform your gap assessments, so you know where you have those gaps and controls, so you are prepared to adopt those new controls that come into effect in 2025 well in advance of your assessment date, right? So, prepare for the assessment before you undergo the assessment. Get organized, be informed about controls and the gaps in your controls, and your practices. So, we say that early planning and proper investment are critical to your success. And finally, I will say, I will plug, we collaborate with the industry on a regular basis and that's how we thrive. That's our foundation. So, if you'd like to collaborate with us, you can become a Participating Organization. And that really gives you, as an industry stakeholder, the opportunity to be involved in the direction of our standards, as well, it'll give you the opportunity to join our Special Interest Group that we're working on right now about scoping and segmentation for modern network architectures. So, your voice will be heard, and your expertise will become a part of the guidance to the payments industry. So those are the things I think retailers can take away from our talk today.
Luke Vander Linden: Kandyce, I think that's great. The best laid plans though of mice and men often go astray. So Tony, what would you say if you're running late? What should you do next?
Tony James: So, I think the first thing to do is really engage in that gap assessment quickly. I talked a lot about what we did from a gap assessment standpoint, and that's where I would focus. And it's similar to kind of what Kandyce was asked there too. So where should I start? What should I do? It really is three things: it's read, plan, and communicate. So read it, understand it, talk to the experts in your organization. You'll have subject matter experts throughout your organization, talk to them and understand the impact to you. Gather details about what you and those other experts outside of your organization might think are the biggest impact. Make your plan. So, plan for what you're going to do, how you're going to do it, what your timelines look like, and what you need to accomplish. By what dates? Cause there's different dates. Some things are due in 2024, some are due in 2025. So, prioritize that. And finally, we haven't talked about this one enough: communicate. If you have read it all and know exactly what you need to do when you start doing it all, but you haven't told anybody in your organization, you're not setting yourself up for success. So, communicate what's going on with version 4.0, how it impacts you to your organization, and communicate what those plans are and what you need from those experts. If you want them to do something by a certain date, you probably need to look at perhaps what the organizational budgeting timelines are within your organization and work around that. If you need something done next year and your organization does budgeting in January, you want to probably be talking to those teams well before that so they know what budget to ask for so they can implement that in the next year. So those are the three things: read, plan, and communicate.
Kandyce Young: I wholeheartedly agree with that, Tony. I think properly allocating human and technical resources and giving enough time prior to implementation, I think is a really key and critical component to success in meeting the new requirements. So, spot on, I agree.
Alicia Malone: Kandyce, where can our listeners go for more information about PCI DSS v4.0?
Kandyce Young: Well, you can head over to our website at PCISSC.org, and we have a PCI DSS Resource Hub actually, with all the documents I mentioned. So, the Summary of Changes document, we've got our Standard, we have Coffee with the Council, videos where we have commonly asked questions, we have a considerable amount of FAQs because we are receiving questions on a daily basis from our stakeholders. And so, when we receive enough of those, we actually publish them as formal FAQs on our website.
And so that's a resource that we're updating on a regular basis. We put quite a few in just last month. So that's another great resource to head on to. And blog posts. We're constantly doing those. So those are all available on PCISSC.org.
Luke Vander Linden: That's excellent. And we'll link to all those resources as well from our show notes on our version of this segment as well. But I also want to plug, this isn't the last time you can hear from this group and a couple more folks. We're also hosting a joint webinar on this topic. That's going to be on 25 May at 3 p.m. Eastern time. And again, we'll have links all over the R&H ISAC website and we'll put it in the show notes as well. And I'm guessing you guys will do that as well.
Alicia Malone: Absolutely. We're looking forward to that webinar as well, Luke. And I wanted to just thank our guests today for their insight. This is so helpful, and I think this is really great information for the industry.
Luke Vander Linden: Excellent. Yes, thank you both as well. And thank you, Alicia, for letting me co-host with you. I think this worked out great. So hopefully maybe we can do it again someday.
Alicia Malone: Yeah, let's do it again. This was a lot of fun.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, or Stitcher. Coming soon; Apple Podcasts.