preparing for PCI 4.0 when the standard hasn't been published


For the past several years, higher tier security professionals have viewed the Payment Card Industry Data Security Standard (PCI DSS) as the minimal approach. In other words, as far as security goes PCI is the lowest standard. The bar is being raised. Are you prepared? Organizations that view PCI as a checkbox for security are in for a rude awaking.

PCI 4.0 focuses on the intent and outcome, rather than the compliance checkbox.

Reactive organizations are going find themselves scrambling to keep up. There’s already a workforce gap in IT security with perceptions that current IT security personnel are not fully qualified. This has the potential to shake a few organizational trees. On the flip side, the more mature organizations and those that actively embrace new changes are going to be in for a pleasant surprise.

The intent and outcome approach are similar to that of a risk-based mindset. In other words, if questions such as “does what we’re doing actually work?” and “are we actually secure?” are asked, then you’re on the right track.

preparing for PCI 4.0 when the standard hasn't been published


The million-dollar question is “how do I prepare for PCI 4.0 when the standard hasn’t been published yet?”

  • Follow industry best practices
  • Ask the right questions:
    • We’re compliant, but are we secure?
    • Can we prove we’re secure to a reasonable level?
    • Do we have everything documented and updated, including roles and responsibilities?
  • Look at security with a risk-based mindset.


preparing for PCI 4.0 when the standard hasn't been published


Good starting points for industry best practices are:

  • National Institute of Standards and Technology (NIST)
  • Control Objectives for Information and Related Technology (COBIT)
  • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
  • International Society of Automation (ISA)
  • Center for Internet Security (CIS)

Each one of these has excellent blueprints for organizations with standards and frameworks. Most can map back to the current PCI requirements. Though, keep in mind there is no one size fits all and a blend of standards and customization to your organizations needs will have to take place.

In asking the right questions, a reactive organization will likely refrain from these questions if they’ve never had a breach.

Experience is a hard and great teacher. To motivate a security mindset, bring the stakeholders together and ask them the aforementioned questions. They’ll most likely say yes to everything. Next ask them the same questions, but in a scenario where their personal bank accounts and life savings are on the servers. Other than jokes of “they’re not getting much”, the answers should change. Explore their feedback.

preparing for PCI 4.0 when the standard hasn't been published


First, what’s a risk-based mindset?

This is one that looks for approval from management, follows rules, and makes decisions fully aware of uncertainty striving to achieve the best outcome. Much like a captain driving their ship through iceberg infested waters, you’re thinking “how can we reach our goal?” The captain radios in stating they’re changing course to avoid a storm, much the same way a CISO calls in a board meeting to make a change. Terms such as compensating controls come into play to reduce risk. The captain asks the crew to reinforce the hull (compensating control) from icebergs, much the same way the Security Director puts policies in place to harden the systems. If on the dreaded day the captain deploys the lifeboats, you’re doing the same with disaster recovery plans to ensure your assets are protected. The risks involved are not one-time events or simple fixes. Much like the ocean landscape changes, so do security threats and actors.

The question is, are you going down with the ship or charting a course sailing through smooth waters?


SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.

Contact us today for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.


Written by Jason Wulf

Jason Wulf is an information assurance expert interacting with information and cyber security domains focusing on risk and compliance in the financial industry. Jason’s previous roles primarily consisted of management of enterprise level infrastructure, Service Desks, and help desks. Miscellaneous responsibilities included project management, agile development, and system administration.

At SecureTrust, Jason leads engagements with clients to assess, test, and perform onsite PCI-DSS compliance validations with CDEs (Cardholder Data Environments). He performs scoping, PCI GAP assessments, risk and remediation consulting for practical and actionable steps in improving their security stance with a mindset of governance, compliance, and organizational privacy.