PCI DSS 4.0: What's Changed and What It Means

good morning everybody i'm the one right before lunch so lucky me and everything i won't feel offended if 30 minutes in you're like all right i'm hungry uh type of thing but today we're talking about pci now [Laughter] um so obviously there's been a big change with pci in march they release a new one so we're going to be talking about a little bit of what the changes are how could it impact the environment um things of that nature uh before that i'm justin leapline i've been involved in and out of consulting i've worked at a number of companies where i had to deal with pci um i've worked for an acquirer i work for an

issuer work for you know e-commerce you name it i've probably done the standard within pci i ran the pci practice at trustedsec for about six years um so i'm going to go through a little bit of that stuff um working right now i'm actually uh self-employed working on a product for uh grc tool for smaller companies um i'm an alliance faculty and i actually just this week launched up a roasting uh coffee roasting company so like i didn't have enough time you know to do anything else i figured i'd do something else here so let's get started so first off uh we're not going to talk about in-depth pci all this stuff there's plenty of resources out there

we're going to strictly focus on the delta of what 4.0 is bringing to the table so if it deals with that and what they're changing and everything we're going to be talking about that if it's the rest of pci how it impacts scope and everything we're going to touch a little bit on scope but more how it's changing with it the text i'm going to have it's going to be pretty nerdy kind of bolted out with this but my intention to this is that you'll take this as a resource bring it to your company and then you can use it as kind of a checklist for when pci actually comes to fruition you'll be able to kind of check box it off within

your environment and do this so keep that in mind also too from photos perspective i have links at the end so you can take a picture of that download the full presentation so you don't have to take pictures all the way through just as an fyi all right so what has changed so they added 64 new controls into 4.0 so 321 was out there for years now with 4.0 they're adding a ton of new controls uh for merchants there's 53 of them uh with that and then service provider there's 11 that are strictly for service providers um and if you don't know what you know the difference are merchants is if you're swiping the card and that money's going directly

into your pocket you're a merchant and a service provider is you're providing services for companies that are doing that so an aws would be a service provider for merchants that are being hosted within aws now there's a lot of different deadlines to this immediate when we say immediate is the first time you're using pci 4.0 as an attestation document so whether you're doing saq or whether you're doing a full-blown rock immediate is the first time you're using the 4.0 standard to submit for your attestation those controls become immediately effective when you're first using that but there's a lot of four data controls as well and they are best practices all the way up to march 31st of 2025 so there's

plenty of time for this um so there's different varied degrees of that so first off one of the big changes is a customized approach so what is the customized approach so they have basically what they call the defined standard uh which is the typical stuff the stuff that's already in there they say you should do it this way the straight pci one the customized approach replaces the compensating controls so if you're familiar with compensating controls they are i can't do it exactly the way their a pci is telling me i have a business limitation whether it be financially to put it in technically to put it in and now i basically have to come up with a

here's how i'm kind of getting around it so if you can encrypt on your mainframe you have to make it really hard to even get into your mainframe to get that data that would be an example of a you know compensating control with that so they got a rid of that there is no limitation on for that for you to be able to use that you can use customize approach whenever you want to say there's a new technology that's all behavioral ai and it eliminates all viruses from all systems but it doesn't technically meet any of the like directly with that you can actually produce a customized control say this is why it's better we've done a risk

assessment here's where it goes you know type of thing so in this if you see kind of the requirements here you know they have the defined approach that's a standard you know control with that but then they have the customize approach objective so if you're producing a customized approach a custom kind of design to accomplish that objective this is what you're aiming to accomplish with this now i will say reading through some of these they're not the best description of these like sometimes they just re reiterate what the defined approach is it's not really the objective of like keeping bad guys out or not exploiting malware or something like that they're just like you know mfa you should have

mfa you know it's like okay well what's the actual like objective is to keep unauthorized people out you know type of thing they're just saying like you need more than one factor as the objective so it'd be interesting to see as qsas we got a while until qsa start to interpret this to see how they actually read into this because right now the define of the customized approach is essentially you need more than one factor so if you're not doing initially the 841 you need more on the factor you still need more than one factor with that but you can see they do the applicability reproach this is where they do like sometimes limitations into

it so you'll see things in the applicability uh notes that they'll say you know uh this doesn't apply to point of sale systems or this is only for this type of accounts and everything so these are good things that kind of reference azure implementing some of the controls so what if you want to do a customized approach customized approach sounds great you know can't make it directly i have this new innovative product or i can't meet you know the the direct control into this it's a little bit of work to actually get to that first off you have to fill out a control matrix template which is basically outlining what you're accomplishing with this control the testing

requirements and plan that you have with that with it you have to do a targeted risk analysis which we're going to be talking about later they have a lot of that through now the new requirements you have to perform your testing now you can offset some of this to qsa companies or consulting companies but you're going to pay for that obviously you know with it most of the qsa companies i've heard of when you're going through especially with a rock they're going to be charging extra for any type of customized approach control that you have into it so there i've heard people they haven't fully implemented this you know but if you have a customized approach

it's going to be a dollar sign per customized approach added to your cost with that so just keep that in mind and then maintaining evidence and then you're going to have to retain that evidence and the assessors are going to have to look over all of that stuff to be able to approve that customized approach so some of the templates with this so this would be the control matrix you can see kind of the what requirements describe it you know control implemented control performed a lot of extra work you know to kind of fill this out you know i'm not going to go through this in detail but you kind of get the gist of like it's not just

like hey i'll flip this you know and it'll be all good there's a lot of work that actually if you're serious about to actually implement something along those lines and then the targeted risk analysis they give a template also for this where it goes through kind of similar to the compensating control worksheet identify what you're doing what's the proposed solution all that stuff one of the things i'd love out of this is 1.3 describe the mischief that the requirement was designed to prevent i mean you know as some english person that like threw that language in like you almost think like oh yeah it's some like evil guy with a mustache you know with this you could just hear him laughing in

the background but what's even funnier to this if you actually go to the definition of mischief like right there in the middle they give an example of the mischief is an absence of policy um and i'm like is that really a mischief thing like so yeah it's kind of wonky the way they kind of describe you know some of these things here but you know the the the goal of it is like if there's a lack of control you know into it um and looking at that uh from that perspective there anyway back to the uh here so yeah identify the requirement describe the proposed solution to it it goes on to analyze the likelihood so

it actually is a targeted risk assessment you are evaluating on impact likelihood everything along that lines you know now it's not a great calculation i mean honestly 3.3 you just check the box on is it more likely is it the same is it less likely type of thing um pci kind of allows you to do whatever into that um so and the way i know the qsa industry is they'll probably just allow that as your risk assessment you know if you fill out this sheet with it and then uh changes uh to it and then risk approval has to go up to executive management to approve all this stuff and keep in mind we'll see in the

controls later this has to be redone every single year for all your customized approach so it's a it can be good like if you're trying to do something in the cloud or there's some product you know that you really want to utilize not fitting in directly within pci this can give you flexibility with it but it's not short of actually the work that you would also have to do to actually implement some of this stuff so just keep that in mind another thing too that we've kind of seen this coming um if you're familiar the cardholder data environment you know was the typical definition of systems that store process or transmit cardholder data that's how

we define cardholder data you know now they're also dividing cardholder data that are basically in the same kind of unfettered network access to around uh systems that touch cardholder data um now you'd say justin those systems are already in scope they're you know around that you know without any unrestricted network access the problem is they were classified as system components and there are a handful of controls within pci that actually call out on cd devices like administering administering cde devices with two-factor authentication internally with that now this kind of expands the scope other thing too is that say you have a shared services environment like and you have active directory into it or some other

shared services that's providing service into the cde if you don't have according to the qsa or whoever's assessing that good enough network access controls between those down to what's business justified you could basically turn that system into a cde and then all of a sudden that system spreads to every other system in that network as well so keep in mind like qsas as they're looking at this it it could expand scope quite drastically and it really comes down to how that definition of like uh network access and down to business justified this was something that they introduced in the guidance documentation a few years ago and one of the things we did with our customers that said well guidance

document had a disclaimer at the bottom of every single page said this isn't the standard and it actually contradicted what the actual 321 standard actually said now they're basically pulling it from the guidance implement it for sure in this standard here so just keep that in mind there so new requirements this is where we're going to spend most of our time and i like answering questions so if there's any confusion or just want to get a clarification let's do this you know right in the middle just catch my eye and everything so first off they've added pretty much in every single section roles and responsibilities performing activities and requirement whatever are document assigned and understood so they

kind of had this in requirement one they actually reworded just to be this for the network sections with this that's why that asterisk is kind of there but the rest once they added this so you can accomplish this either through policy documentation assigning a team to particular services racy charts you know in a wiki something along that lines more documentation you have to do to you know uh show all these controls into it and the way i kind of have this you know applies to all entities so that's merchants and service providers and then the effective is immediate so as soon as you use 4.0 as a at the station base you have to have this uh done

other documentation uh with this um you have to with your retention with any sad data keep in mind this is more to issuers if they're retaining sad data you have to have a way to actually clean that up on whatever your retention policy is so in card production which i you know worked a little bit in that time frame it's typically 30 days you're allowed to store that information for 30 days and then you have to have a way to remove it so that's basically just calling it out into the dss that there should be a way to actually remove some of that stuff there has to be technical controls that you can't just remove pans through

remote access technology essentially what this means is dlp you know there can be other potential technical means where you might be able to limit access to dba individuals and other controls that you accomplish this but essentially this is calling out dlp you know for if people have access to cardholder data they're not pulling it over the vpn and putting it on their local computer with that another one from a documentation standpoint you have to define your cryptographic architecture so if you have any soft hsms certificates anything like that all has to be documented has to be cleared to where um your keys are stored where it's being encrypted all that stuff and everything and this

is for service providers only but keep in mind the common rule for service providers only for this version of service providers only for the next version will probably be for merchants too for all entities they have to have an inventory of all your trusted keys and certificates so there has to be a documentation pointing to where everything is you know within your environment for pci another thing that's going to be a little bit bigger you're going to have to have an inventory of all your software and all your third-party stuff so that's custom applications third-party libraries that you're doing so you know if you've followed this the the bill of materials that they've been saying

all that stuff will have to be documented and producible to the assessor as well as any third-party products that you're installing you know onto the onto your environment that has to be patched into this and then lastly on the documentation suites and protocols um in use and documented and reviewed so you know your tls certificate you know what's the cypher suites that you're using what's the protocols you're allowed with that obviously you can pull that but now you have to have a formal document so peers are approved tls 1.2 you know aes 256 whatever that may be uh some encryption stuff um so sad store electronic prior to completion uh both 3.3.2 and 3.3.3 are

issuers um that apply to so if you're sore and sad you have to protect it strong encryption with that they didn't directly call that out in previous they're basically just filling in the blanks you know to some of this stuff hash is used this is a big one hash is used to render pans unreadable have to use salt now you can't just have a straight hash for your pans with that it has to be salted to when it's storing in the back end now a lot of people will say yeah that's great you know to be able to do that and everything which it is but there are uh potential things that could actually impact that whereas you know if you're

looking for if you're a grocery store chain and you're looking for duplicate card numbers it's now hard for you to actually just look in a hash table and say is a duplicate hash in there because everything's salted you know into that perspective so just keep in mind this could impact some processes depending on how you're using that hash another big one they specifically call out in 3512 that you're not allowed to just rely on disk or partition level encryption as your encryption source unless it's a removable drive so if it's a usb drive backup tapes or something along that lines you can rely on you know full disk encryption ish you know uh with that but

you're not allowed to just store your documents that contain cardholder data on an s3 encrypted bucket that's not allowed it has to be another layer of encryption onto that that's at the file level with them and then certificates over um just can't be expired you know with this so they i guess they had some problems with this you know at four two one um they're spa uh specifically just calling out can't be expired even though it might still go over tls 1.2 and get a warning on the consumer they're saying like it needs to be about cert so this is one of the things that we talked about with periodic reviews so one of the most common terms that

they've added into this is a targeted risk analysis so they gave i showed you the example they kind of gave and broke it down on what they would do for a customized approach now a lot of things if you remember with 321 there was a lot of things that came out like you have to periodically review your you know gas station pumps to make sure that there's no tampering or substitution you have to periodically review whatever there's a number of components into this now they're basically a lot of stuff they're either calling out specifically like you have to do this every seven days or do a targeted risk analysis to you know define your own

number or they'll just call out you need to do a targeted risk analysis so keep in mind this has to be reviewed annually and approved by executive management for each one of these so targeted risk analysis on any systems you deem not applicable to uh malware protection so linux systems let's say you don't install any av on linux systems you have to do a targeted risk analysis on an annual basis that say yes they're still out of scope for uh anti-malware um the frequency of malware scans they call out continuous you know in the standard now but if you have an alternate like you're scanning weekly you have to have a targeted risk analysis inspections on point uh point and

interaction device uh point of sale devices and then the determinant of the frequency of log reviews and on all other system components you have to review it all on the um the cde but you have flexibility when it has outside systems with that and then [Music] on how frequently the targeted risk analysis so this is um has to be performed to review that and then uh met with a customized approach that's three one three two uh what we talked about with that and then uh periodic training for incident response personnel you have flexibility on you know how often you do that uh to individuals so there's a lot of work with this we'll talk about at

the end like the outside of some of the technical controls and limitations that they're implementing in this a lot of this stuff comes from more resources internally and potentially externally on helping you basically just maintain your security program and building it up to where it needs to be for 4.0 luckily we got some time but yeah there's a lot of work to kind of do this going on further outside of the targeted risk analysis periodic reviews now they're adding in you have to review user accounts and and access privileges appropriately that wasn't a thing in pci before now it's sox world all over again you have to review your access you know on a regular

basis um they're adding in system and application accounts before pci didn't really touch on this qsa's were kind of like hey it shouldn't degrade the security like you could just don't set the accounts to password um you know type of thing now they're specifically calling out that application system accounts are in scope and use they should also be reviewed uh with that hardware and software technologies are reviewed so one of the requirements is putting together a list of all your hardware and software one of the main things that kind of called the like call this out is like when's end of life so if you're using some windows system 2012 you're supposed to document like when is

end of life for this system and the qsa assessor whoever it is takes that and reviews it to make sure that you're all within supported area or have a customized approach you know that you could also do with them um 12.52 kind of was a requirement so if you were ever going through and doing a rock up in the top section the the kind of requirement zero as we called it um actually called out you had to review your scoping and confirm it uh each year now they're basically putting this as a specific requirement so you can write verbage directly to that and then the significant organization changes with that and this is service provider only you basically have to

review that and communicate to exit executive management um sorry repeat one and then security awareness program um has reviewed every 12 months and update as needed so you can't use the same stuff that you use for like five years now it has to be updated we'll actually cover a little bit that they've added phishing as a requirement into this as well and then this is for sp only that if you're logging into multiple customers there has to be a separation between the different customers you can't just be connected to all customers at the same time type of thing all right monitoring so one of the bigger things that was also added in is monitoring your payment page for um uh

for like changes on all the scripts and everything so this is content security policy if you're familiar with this outlining where you're getting your scripts from if there's any remote scripts you're doing you're pulling them uh appropriately you it has to be hashed so you have to verify the integrity of it there's a lot of work into that and keep in mind we'll talk about this a little bit later but they even add this into the saqs as well and even into saqa this is one of the additional requirements into saqa which is basically have outsourced almost everything this is one of those ones if you're doing an e-commerce page you'll have to make sure that you have a content

security policy no longer can you have the option to do manual review of logs or automated review they're just calling out automated review of logs which is a good thing because my firm opinion nobody really does manual review logs and when we say manual review vlogs we're basically talking about you going into your syslog server and looking at the logs and validating that there's nothing wrong nobody's really doing that you know type of thing there's some type of automated triggering system and triaging of those that's what they're calling out it's like there has to be some um you know sim that's raising alarms that you're triaging in that respect there um a lot of things that they got in in

three is looking at your security controls and calling out when they failed um they're adding things to that that if certain controls fail you're notified and deal with it accordingly so uh critical security control systems are alerted detected and dressed promptly and responded to promptly and then 11 they call out that you have to detect through ids ips some other means you know edr that there's convert malware communication channels so um you know c2 you know with that um and just looking at that and detecting and doing that that's sp only right now but again it's only a matter of time before it comes merchants as well and then change in tampering detection mechanisms is deployed for payment pages

so specifically on the payment page and it calls out once a week or you can define it through a targeted risk analysis you basically have to look at your payment page and see if it's changed and do something if you didn't expect it to change so some type of monitoring and kind of hashing of that page and detecting whether it's changed without you without you being aware of the the change to production and then failures this is you know um a couple of additions automated log review mechanisms you know have to alert on the failure of those and then code review tools um have to look at that so if you have a devsecops pipeline and it's running to

look at third party packages static code analysis if that fails you need to be alerted that it has failed do we need a break here i mean there's a lot and like i said my intention for this is to give this to whoever wants it and that way you can have kind of your checklist to go through and utilize it on uh the off so yeah the time frames are you know nice that we got a lot of time but i wouldn't wait because there's a lot of little things that are need to be done within the next couple of years for this so um i think we're almost done here got a couple more sections so vulnerability

anti-malware um um look at electronic media so when you plug in a usb drive it has to scan it most you know solutions have that nowadays so it shouldn't be too big a deal they're just calling it out um mexican is a place to detect fishing uh with that so you know that means email protection you know on some of the fishing perspective this wasn't called out before now you have to have a way to detect certain phishing stuff you could probably do it through some edr um aspects as well but this is one of the things that you'll need to measure with it automated technology so wafts are now required before it was a kind of you can

do an application assessment once a year or do a waff now wafts are required you know with anything that's public facing it takes cardholder data manage all other application vulnerabilities they're specific calling out application vulnerabilities um that aren't high or critical risk so you have to manage them they're not necessarily calling out that you have to fix them but you have to have an active program to manage you can't say medium below whatever you know type of thing there has to be a kind of a determination on are we going to fix it are we not is what's a risk to the organization um another big one that's changing no longer that vulnerability scans can be

just network based it's either agent based or credentialed based obviously you know my preference is agent based but you can have the option to do credentials around with them and then 1147 multi-tenant service providers support their customers for external penetration testing this basically came about there's you know some bigger players but they've modified a lot but there's some smaller players that if you have a you know remote hosting data center or something like that um they would like oh you're not allowed to scan us you're not allowed to do a penetration even though it was your site and then was like well are you doing the penetration test then like no that wasn't part of our contract so

they're basically calling out like if you're a multi-tenant service provider you have to support your customers if they want to do a penetration test and just calling it out verbatim into that identity and access control so this was a little bit of one where they've um intermixed um some of the uh nist 800 changes into it uh for good um for most of it um some of it they didn't really change as much as i would like but you know so you have to manage we mentioned application system accounts you know into this um you have to do a minimal of capacity for passwords when used as an authentic factor that's now up to 12

with that they do allow an exception for systems that don't support up to 12 aka mainframes you know type of thing and it has to be at the maximum of that with it they actually specifically called that out in 836 they still have that passwords are the only authentication piece it has to be changed every 90 days you can adjust that with a targeted risk analysis but they still have the default 90 days if it's a single factor to log into that if it's multi-factor so if you're going into your cloud environment and it's always through multi-factor you can up that to a year you know that you don't have to change it or maybe not in like

indefinitely you can also put in other factors where you look at where the account is coming from so if they're logging in from nigeria and they never logged in from nigeria then that would do some extra flag so you have some flexibility in actually implementing uh some of this stuff um multi-factor authentication for all access into the cde um with this so this is one thing that they added get out that anytime you're going into the cde you have to have multi-factor access the change from the last system that all they had was administrative access this is basically anybody logging in so if it's a accounting person logging into a you know a system that have a

spreadsheet of cardholder data probably a bad idea but example with that they have to do multi-factor so mainframe access may have to do multi-factor if they have a green screen that you know is going through and showing full card data and everything yep

yep so the question was just to repeat it does that include web applications with it the answer is if you can see full card data onto it the answer is yes with that now keep in mind i believe it's this requirement here in one of those applicable notes they say it's not applicable to ones that only can see one card number at a time type of thing so if i'm a point of sale you know with that i'm just entering in one card at a time it's not applicable to those but if you have a web application that can look at a spreadsheet of card data and say you're dealing with chargebacks or something like that that would be a applicable

control good question multi-factor access on systems that are on systems are implemented appropriately so just making sure that you can't escape around it i know the pci council had a big problem at one point that they had the multi-step authentication they said both factors had to be authenticated at the same time which is really hard to do when you're doing like push notifications for it they've loosened up a little bit um if you actually read the requirement but they want to make sure that you can't like escape around one of the factors you know um essentially when it comes down to it um manage interactive logins for accounts used by systems or applications so if

you use a system or an application account that's used for like back-end stuff um if that is able to do uh interactive access like it's going over ssh or going in the application can perform other functions you need to manage those appropriately

same kind of thing you know the with the addition of applications system accounts are putting in all this stuff to say okay you need to protect against misuse so monitoring what they're doing no escalate like proper privileges fall into this um uh with that oh application and system accounts so uh with that um and then multi-tenant uh confirms access to any customer environment that's logic separated so this is uh sp only but again the same kind of component with separating out that access you know between your different customers and then i think lastly no we have a miscellaneous one right at the end a little bit on insulin response that one you have to do

change and tamper detection mechanism so we mentioned that if your payment page changed you know you should actually incorporate into your instant response plan how to deal with that so different things like that if something's tamper detected you need to have a response in your incident response plan how to do that so a playbook would work you know to specific to that and then incident response plan procedures are initiated upon detection of pan outside of the cde scope you know so if you detect pan in your share drives you know and it's not supposed to be there you know you need to have a plan to say okay we need to analyze whole scope look at permissions

who had permissions with that is there any you know out copying that was done you know with that education just kind of writing up something with that and then have something this is uh multi-tenant service providers uh for basically this is a bug bounty thing you know so if you have if you're a service provider and your customers find bugs you need to have a way to deal with them and then a couple other things we mentioned phishing and related and social engineering attacks that's a specific call out that now qsas will be looking for that within your training with it and then training about acceptable uses of end user technologies so that was always kind of called out in the

acceptable use in requirement 12. now they're calling that for the training annually as well and then third-party service providers um you know support the customer's request uh to this um you know whenever they're asking about their compliance you need to respond to them all right take deep breath we're through the requirements here got a couple other small things how are we doing on time oh we're good on time all right so saqs so one of the things that's um they're adding to saqs if you're an sq fill out not only are they adding like all the controls that we just mentioned into this but they're also adding things that were already existing controls one of the biggest ones that i've seen so

far is that now saqas which is basically like 20 30 i think it's 36 controls and a lot of that is physical because they can still take faxes you know under this uh type now they're adding that you have to do acv scan so basically almost every type has to do with asv scan this is going to blow it up to a lot of different merchants that have never done asv scans before and probably have never run a vulnerability scan as well in their life so it'll be interesting to see how this kind of grows you know into the industry um because one of the biggest things we'll talk about in just a second is

people missing their asv you know uh timeline you're supposed to scan that quarterly at least quarterly um if you miss that all of a sudden it's a ding into your pci and report on compliance rocks so these are the level one sometimes level two uh merchants and service providers uh into this so obviously we talked about they did away with the compensating control worksheet uh but that was one of the sections that they did now they have they replaced that and now they have in place with remediation so what happens if you're doing a customized approach that's just in place they consider that if that's all good and your customized approach that's an in place control so

what is in place with remediation so in place with remediation is anytime they the assessor finds a ding against you um they're going to expect you to correct it and then they'll put it in place with the remediation with a description of why they marked you with in place with remediation now what will this happen is an impact probably nothing you know type of thing if you're compliant at the end of the day and you fix whatever problems that's fine you know that type of thing but like some of the biggest things that when we're doing um rocks for customers missing asv scans you know that was one of the biggest things we had our kind of

set company policy with this but it was all over the place from a qsa standpoint like i've even heard some things like ridiculous like um we missed you know last quarter's asv scan because the guy that was doing them just left and nobody picked it up so now we're gonna do and i had a qsa tell me once it's like well i guess you gotta wait for a year to get compliant because you're missing one qsa or one asv scan and you need to have four quarters you know type of thing that's not the way pci was designed with this now they have a specific way they uh essentially will do they want to make

so you have to be fixed you know with this so the qsa just say oh you missed just the last one okay that's fine you know type of thing you have to run another scan uh with this you have to have a remediation to cover why that failed whatever that may be and then the qsa will review that accept it and put it in place with remediation noting that there were issues with it but you fixed it type of thing and so some of the other stuff that unintentional storage of like pan outside the cde missing policies missing networks basically anything that wasn't compliant right out of the start they're supposed to turn it into an in-place

remediation so and then here's a little bit of like just the the heading so one of the things to keep in mind qsa's are going to have a lot more documentation work this is one control and you don't start writing up control until right at the very end all the top part is just filler information so first off it's the selection of the boxes then it goes into you know describe why the assessment finding was selected and quite honestly it's kind of worthless if it's in place it's like because i everything checked out like i got the evidence everything looked good now it might change with in place with uh with remediation or not in place you know you

can describe like some of the stuff but literally you have to describe why you selected that which i think it's kind of a worthless you know type of thing you could describe it down below and then you have to basically say a customized approach or a control used you know into this for the defined or customized approach with this so yeah it's uh it's it's a little messy the biggest thing to get out of this um you wouldn't be filling this out you know this would be a qsa company but they're going to charge you for this so i've heard some estimates it's going to be like 30 more to what you're paying right now for 4.0 um plus or minus you

know with this um and then it's even more if you're doing customized approach so just keep that in mind that you know when this actually comes down into being implemented there's going to be some price hikes into it so lastly close up here um you know a little bit of pros and cons so the customized approach i like you know that gives a lot of flexibility to merchants and service providers to actually do some of this stuff some of the controls were actually improved you know to the way they implemented i think some of the stuff that you know like uh monitoring logs nobody really did it good manually so like just eliminate that you know

type of thing um adding more monitoring capabilities which you know if you don't have a good monitoring program in place you know it's not if it's when oftentimes so adding more monitoring stuff into it i think is a good thing and it eliminates some of the qsa discretion if you was way back but i did a presentation on pci 3.0 one of my slides was actually slamming how bad it was of them doing periodically like they just added a whole bunch of work periodically words into it now with the targeted risk analysis they're at least taken out of the qsa's discretion and putting it back into the company and saying here's what we think this means and here's our risk

analysis to support that so that's a good thing um the cons are this going to be way more work from a documentation standpoint a number of controls are added it's going to be higher costs you know both from an internal resource and from external costs if you have to pay for that um and then you're adding control levels to the saqs that i think from a you know smaller company i've worked with companies that are like three people you know doing you know non-profit volunteer work and everything now you're asking them to go get an asv scan they're going to be lost and they're going to need a lot of help with this to do some of that stuff and everything

so that's it so i made a notion site but that was way too long they both go to the same place so if you want to take pictures of that um yeah that's fine and actually i did not buy this domain just right now i've had this for like five years so but i figured i'd spare you the big hash at the end so yeah

so the requirement to when you have to use 4-0 is march 31st 2024 that's when you have to well it's actually april 1st uh type of thing but you have until 2024 to still use 3-2-1 then you'll be required to use 4-0 and then the you have another year for those four dated controls to uh to implement those and everything if you're using like if you don't have those controls in place in that in between time it's not applicable if you put it there um if you don't have it in place if you have it in place you can just mark it uh in place so yep immediate is like today you can actually file with 4.0

you know but a lot of people aren't choosing that because there's a lot of immediate controls like as soon as you file with the 4.0 templates um you have to do all those immediate controls you know type of thing um so that's why like nobody's really filing with 4.0 right now but there could be some later this year next year you know type of thing that you know as they're building up if they already have those all in place they'd be like okay yeah let's start the transition into that type of thing

yeah so there there are a number of ones i'd actually uh recommend they have a summary of changes that they kind of break down yeah it's awful and honestly i i dove a lot into this for the presentation but every standard it always surprised me like they're like oh we just modified for clarity and then you look at the and you're like well that changes the definition you know type of thing i haven't seen too many of those you know uh as of now you know type of thing that really substantially change it to like oh man this is really in scope like one of the things they eliminated was the anti-malware should be on

commonly affected they eliminated that verbage they basically said it should be on all systems except for the ones that like another controls except for the ones that aren't really you know done but you have to do a targeted risk analysis so kind of like it covers it under the the terms but they modify the verbiage you know type of thing um but yeah yeah

yeah yep

so they did a kind of a cloud guidance and it calls out some of the segmentation controls into there but pci does like they want to basically get hands off on technology and talking about that they basically talk about principles of like okay least privilege you know limited to only necessary you know traffic all that stuff and everything micro segmentation is great especially if you can automate the the maintenance of that you know type of thing but it really just comes down it's still segmentation at the end of the day you know into that um so yeah nothing directly but the guidance thought they made a cloud guidance document that comes the closest to that

correct yep yeah yep so my recommendation on that if you are shopping around for qsas look for somebody that's very familiar with cloud technology you know i've seen some and nothing slamming you know a lot of that i've had like ex-cops come in and try to look at like my acquiring information on mainframe he never saw a mainframe before same thing goes for cloud like you get some qsas and sometimes if they're soft you know it's all right like okay here's our controls and as long as they're okay with it sometimes that's all right um but if they start giving you hard notes like i don't understand like how is it really segmented show me your acls it's like oh

no the rules are right here oh i don't i don't see where it's allowing port whatever it's like well no you know type of thing that's where you need to make sure you have a good partner if they're assessing in your environment so okay out of time thank you everyone uh come and get me if you have any more questions