PCI DSS v4: What personality type are you?
With personality profiling now used in many businesses across the world, most of us are reasonably conversant with the principles behind the various Myers Briggs, DiSC or colour profiles in use. Whether you are a sociable introvert, an optimistic influencer or an organised Blue, there are key traits which characterise how you look at the world and how these impact on the way you work. But when it comes to how you opt to comply with the new Payment Card Industry (PCI) Data Security Standard (DSS) v4 there could be another type of profiling which would help you to work how you choose to comply.
But first, what makes the PCI DSS v4 different?
The new PCI DSS v4, released last March, is different from its predecessors. The language used demonstrates a lighter touch and is less prescriptive than earlier versions, leaving room for interpretation, subtlety and nuance. You no longer have to tick every box to pass the assessment on a given day. Instead, you are now expected to employ a risk-based approach, analysing each area of risk and focusing your efforts on where your valuable data is most sensitive. For example, the section of the v3.2 standard devoted to paper records may simply not apply to your business so once you are satisfied that this does reflect the environment, you can move on.
Another key difference is that compliance now needs to be ongoing. Simply pulling everything together in time for a Qualified Security Assessor (QSA) audit so you comply on a given day of the year, ignoring it for the remaining months, will be a thing of the past. You are now expected to have a strategy which adjusts with agility as the threat landscape changes so that compliance is responsive and ongoing.
What has not changed is the key aim to protect the data of customers. This is in no way weakened by v4 and your risk-based approach will be carefully scrutinised, with you ultimately being required to justify your interpretation to an external QSA.
So, what does this mean for the different personality profiles? And how do you know what your PCI DSS v4 personality is? Here are some key questions to consider when determining your profile.
How do you feel about Zero Trust (ZT)?
To be fair, this is a bit of a trick question. That is because, although zero trust architecture is never actually mentioned specifically in the PCI DSS v4 wording, zero trust is implied. We are now all expected to assume zero trust when establishing any data security protocols. So, individual personality profiles aside, let us assume that everyone managing their organisation’s PCI DSS compliance is devoid of any faith in human nature and a proponent of ZT.
How do you feel about specific Technical Requirements (TR)?
If you are reassured by a set of black and white technical requirements which provide a clear route to compliance, even if some of them may appear unnecessary for your situation, then you are a TR Lover (TRL). If you prefer to interpret rules according to the intent behind them and are confident in arguing your stance you are probably a more flexible in your approach to TR then you are TR Flexible (TRF). If you have a group of people on hand who are able to review and justify your interpretation, prioritising an embedded approach to best practice over an adherence to a set of rules, then you are likely not to be a fan of stringent technical requirements and are therefore TR Confident (TRC).
How do you feel about a risk (R)?
Being realistic about your own organisation’s risk posture can be harder than you think. Viewing anything from the inside comes with an inherent degree of blindness and for full visibility it is advisable to seek outside help. If you know you are Risk Blind (RB) then this professional input is a necessity.
If you consider yourself, your Chief Information Security Officer (CISO) or similar office-holder to have full 20:20 Risk Vision (RV) when it comes to risk assessment you may want to consider the burden of responsibility this places on them. Because risk assessment is at the core of the new v4 and any oversight will be viewed harshly when it comes to an audit.
Whatever you risk stance, with the new multi-tiered approach of PCI DSS v4 it makes sense to engage a professional to undertake a full risk analysis and to develop specific treatment plans for each area. Even those with good Risk Vision will benefit from engaging a specialist consultant who works within the PCI DSS compliance sphere every day and therefore has heightened Peripheral Risk Vision (PRV). This is not strictly speaking a personality profile for PCI DSS organisations but it is worth mentioning because, with an enhanced level of understanding in relation to risk and data security risk, they will see things you cannot.
How do you feel about cost (C)?
No organisation wants to expend resources unnecessarily. However, the multi-tiered approach of v4 allows you to follow a clear set of prescriptive measures if you choose to do so. To be sure of compliance, you may feel that this cost is justified (CJ).
It may appear at first sight that reducing the reliance on irrelevant technical requirements will reduce cost overall because you are able to focus your data security efforts on where they are most needed. Undertaking this task in-house may appeal to the cost cutters (CC).
But a word of warning.
Risk analysis and treatment plans are time-consuming and therefore costly, even when conducted internally. If there are oversights or errors then this will prove to be expensive if fines are imposed, or worse still, catastrophic if your credit card processor withdraws its services. Investing in professional help will ensure that cost cutting is replaced with cost targeting (CT) to deliver a best practice - and therefore a compliant - outcome.
How your personality profile determines your plans for PCI DSS v4 compliance
Well, the good news is that the current v3.2 is still in effect until 31st March 2024 when it is officially retired. There is therefore a transition period until then. However, the enhanced requirements for protection against Malware, stricter security requirements, multi-factor authentication and encryption will take time to embed fully into an organisation’s structure so an early start will ensure you can meet the new requirements when they come into effect.
Whether you are a Technical Requirement Lover (TRL) or TR Confident (TRC), Risk Blind (RB) or have good Risk Vision (RV), and whatever your approach to cost, discussing your approach with a qualified QSA professional will give you an enhanced understanding of how best to meet the requirements of the new standard. Consultants with Forensic Investigation credentials have the added advantage of working with organisations where there has been a breach. Their experience and expertise will ultimately deliver value for money and peace of mind that your organisation has fully embraced the new zero trust, risk-based and inherently flexible standard.
Paul Brennecker is Head of Consulting at 3B Data Security, a QSA with over 30 years’ experience in Payment Security and PCI DSS compliance in a range of environments.
About 3B Data Security
3B Data Security is a certified PCI DSS Qualified Security Assessor Company (QSAC) and certified PCI SSC Forensic Investigator. The team at 3B has been drawn from Law Enforcement High-Tech Crime Units, Counter Terrorism Units, the military and niche security consultancy firms.
We have built extensive and close relationships with organisations such as the Payment Card Industry Security Standards Council, UK Acquiring Banks, Credit Card Schemes, Law Enforcement Agencies, CREST and IASME.
Our services are flexible, providing solutions across a wide spectrum, from large multi-national enterprises to SMEs.
