Even though most organizations are still planning to attest compliance this year against PCI DSS version 3.2.1, it is still recommended that you communicate to your merchant managers regarding what they can expect next year (2024) as your organization transitions to PCI DSS version 4.0 compliance.
Scheduling an informative webinar or workshop with your merchant managers and/or technical resources can help introduce PCI DSS v4.0 and explain why the PCI SSC updated the requirements to better address new risks and threats, and ensure organizations are aligning their security controls with current information security best practices.
It may be helpful to break apart the workshop by SAQ type depending on your payment environments. This way you can focus on the new requirements within each SAQ that will impact them specifically. For example, for your ecommerce merchants that are eligible for the SAQ A, you may want to spend a little time with them reviewing the updated requirements for passwords, as well as how to determine if their site qualifies for new external vulnerability scanning requirements and what information will need to be provided to your teams to plan for those scans and ensure you are able to achieve passing quarterly scans come April 1, 2024. For those merchants with PTS devices (typically SAQ B, B-IP, or P2PE), you can review any changes around requirements for device inspections and discuss the necessary frequency of those inspections based on the organization’s targeted risk analysis and policy.
It will also be helpful to review merchant responsibilities for monitoring any third-party relationships they may have that are involved in the payment process. If merchants are currently responsible for collecting merchant compliance documentation, reinforcing this responsibility to collect an updated Attestation for Compliance (AOC) annually from each third-party service provider is important. With PCI DSS v4.0, vendors should also be outlining responsibilities between themselves and your organization. This can come in the form of a responsibility matrix or can be outlined within the contract language.
This preliminary workshop can also be a good time to review your organization’s annual compliance calendar and timelines for merchant SAQs, annual awareness training, and the planned timeline for transitioning to version 4.0 SAQs. Prior to the SAQ launch, spend time either through an annual merchant survey or annual check-in visits with your merchants to review the various methods your merchants are using to accept payments, identify any possible areas of non-compliance, and confirm you have correctly assigned SAQs to each merchant area.
This is a good time to just connect with your merchants and evaluate any opportunities for streamlining processes and reducing the organization’s overall scope and risk. Talk to merchants about centralized resources, new payment options, etc., and reinforce the requirement to review any new or alternative payment methods with the PCI team prior to accepting payments.
You can also remind merchant contacts of critical procedures, especially the steps they should take if there is a suspected incident or breach, who they would contact, and how they would take payments in the interim (i.e., do they have a back-up or alternative method already identified)?
Reinforce to your merchants that your PCI team (and CampusGuard!) will be there to assist during the upcoming transition to the new version and will provide training workshops prior to the planned v4.0 SAQ cycle, as well as updated guidance documentation. Continued engagement with your merchants allows them to feel comfortable coming to your team when questions arise and prevents any rogue activities from occurring on campus that could potentially put your organization at risk for non-compliance.
If you have questions about how best to structure a merchant workshop or if you would like to partner with your dedicated CampusGuard customer advocate team to present to your merchant community, don’t hesitate to reach out to your CRM or contact us to discuss further.
Additional feedback from one of our Security Advisors:
[Gundrum]: While many of the requirements new to version 4.0 are “future-dated” in that they are not mandatory until the end of March 2025, some new requirements take effect immediately upon transitioning to version 4.0. For example, the addition of external vulnerability scanning to SAQ A takes effect immediately upon transitioning to version 4.0, so your merchants will already have to attest to having that control in place in 2024 (or early 2025). Additionally, compliance with future-dated requirements may require changes to your environment or processes that require time and effort. For this reason, you may want to consider directing your merchants to use the 2024 attestation cycle as a trial run for those future-dated requirements rather than just marking them as not applicable, so that you can tease out any challenges with meeting the requirements before they become mandatory.