New SEC Cybersecurity Rules Take Effect December 2023
New SEC rules regarding cybersecurity incidences take effect December 15, 2023 and will affect all US publicly traded companies.
After a few delays, the Payment Card Industry Security Standards Council (PCI SSC) finally released PCI DSS 4.0 on March 31, 2022. Unlike previous updates, this one includes significant changes, more clarity and flexibility in some areas, and increased legal risks.
For example, there’s greater focus on targeted risk analysis, organizational maturity, and governance. PCI DSS compliance will now be considered a continuous effort, rather than an annual snapshot exercise. A customized approach to PCI assessments is available, which enables businesses to implement alternative technical and administrative controls.
Implementing PCI DSS 4.0 will require more than just modifying security controls. The good news is that the previous version, PCI DSS v3.2.1, will remain active through March 31, 2024. At that time, it will be retired, and PCI DSS v4.0 will be the official standard.
Organizations will then have an additional year before any future-dated requirements come into effect as part of a v4.0 assessment. Each future-dated requirement will be noted in PCI DSS v4.0 as a “best practice” until March 31, 2025. Organizations aren’t required to validate against these specific requirements until that date has been reached.
Once training becomes available to assessors in June 2022, assessors can start conducting assessments using either v4.0 or v3.2.1. Only PCI DSS v4.0 can be used after March 31, 2024.
The PCI SSCs’ implementation schedule provides a transition period to enable organizations to familiarize themselves with the requirements of PCI DSS v.4.0, update their reporting templates and forms, and plan for and execute what it will take to meet the updated requirements. In addition, both the standard and summary of changes will be translated into several languages and published between now and June 2022 to support worldwide adoption.
Free eBook: Simplify PCI Compliance. Reduce PCI Scope
You’ll find everything you need to know about it on the PCI DSS Version 4.0 resource hub. The following are just a few of the changes to take note of:
PCI DSS 4.0 increases the requirements for periodic diligence by adding several new controls. These include:
Organizations may want to build the new processes and try them out prior to having to rely on them for PCI DSS compliance through their Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) processes and QSA oversight. This will save time and help reduce the risk of potential noncompliance.
Previously, when merchants and service providers couldn’t meet the prescriptive controls of PCI DSS 3.2.1, they had to propose a compensating control. They then had to justify it with a risk assessment and a compensating control worksheet (CCW). This option still exists in PCI DSS 4.0, but now a customized approach is available.
The customized approach retains the risk evaluation requirement. Instead of compensating for the lack of a control, however, the customized approach allows the merchant or service provider to document a different control based on the objective of the control being customized.
The customized control will then be assessed by the assessor in place of the control being substituted, allowing for long-term customization rather than a shorter-term “compensating” control. Note: Not all controls are eligible for the customized approach.
PCI DSS 4.0 includes a sample targeted risk analysis template (PCI DSS Appendix E2) that provides expanded guidance for conducting risk analysis. It’s not required, but the template does provide more information on how the PCI Security Council expects a risk analysis to be conducted.
There are now descriptions and examples of what a significant change is in PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements. This is particularly important because of the many interim changes, adaptations, and updates ─ especially in the US mobile payments industry.
PCI DSS 4.0 aligns with the NIST guidance on digital identities for authentication and life cycle management, and now requires that:
One of the big changes – and repercussions – of PCI DSS 4.0 is its increased focus on risk assessments. Under PCI DSS v4.0, organizations may have to disclose more information about their security programs to qualified security assessors (QSAs) than under previous versions of the standard. PCI security assessments aren’t conducted under privilege, so organizations should be prepared for more scrutiny of their assessment documents if a security incident occurs.
It will be critical that all statements made in risk analyses be accurate, verifiable, and consistent with other disclosures. Customized controls should defensibly meet the defined customized approach objectives. Documentation must reflect actual, provable, and current security practices.
The complexity of the new requirements in PCI DSS 4.0 and the time required to implement the changes means transitioning to the new standard may not be easy for many organizations. Start planning your transition now instead of waiting until the current PCI DSS version is retired.
A good first step would be conducting an unofficial assessment against the PCI DSS 4.0 standard to identify compliance gaps, needs, and opportunities. Engaging legal counsel and other consultants in this assessment and other aspects of the transition is also recommended to ensure more comprehensive consideration of risks and exposure and ensure a successful transition.
US Signal is ready to help as well. While your organization is ultimately responsible for meeting its PCI DSS requirements, US Signal can help ease the burden.
US Signal maintains a well-governed, high-quality IT infrastructure that meets the demands of a wide range of governing agencies, including PCI DSS. We are independently audited for PCI DSS compliance ourselves, and understand what it takes. We also have an on-staff compliance officer and executive security team, and will provide audit documentation and other assistance as appropriate.
Call (866) 274-4625 or email [email protected].
New SEC rules regarding cybersecurity incidences take effect December 15, 2023 and will affect all US publicly traded companies.
A key step in data management is developing a data retention policy that specifies what to keep and for how long, and what to delete. Learn how to get started.
Cloud services can help retail organizations be more agile and innovative, and take advantage of benefits from cost savings to PCI compliance.