XMCO at the PCI Community Meeting 2023 in Dublin

The PCI SSC holds every year an event gathering all stakeholders of the payment industry including not only the council but also the payment brands, merchants, service providers and other suppliers. This event, the PCI Community Meeting, took place in Dublin at the end of October. It was organised as three days of conferences (including one divided in two tracks) and a showcase where professionals of the industry could meet. Finally, a special meeting between assessors (QSAs, ISAs and AQSAs) led by PCI SSC members preceded the event closure.

For XMCO, especially in the context of the future application of PCI DSS v4.0, this event was an opportunity to discuss with assessors from other organisations and with the council on the interpretation of requirements and strategies that could be offered to our customers. This was also a chance to gather feedback on solution implementation, and compliance given by actors of the industry.

Some presentation material is available on the PCI SSC blog but unfortunately not all of them. If you are particularly interested, conferences have been recorded and can be downloaded through the PCI SSC Global Content Library. If you have access, we recommend the following non-technical presentations:

1. “What is new for the PCI DSS v4.0 SAQs”: as a merchant eligible to any SAQ or as an assessor, to fully understand the different application criteria of SAQs.
2. “JScrambler: Securing different types of payment pages”: as an e-commerce merchant (and especially eligible to SAQ A), to understand types of attacks on payment pages.
3. “When a hacker comes knocking: Vulnerability disclosure”: regardless of your activity, a point of view on the vulnerability disclosure process.

Moreover, we retained important messages that were reminded or that felt highlighted following this event.

Start PCI DSS v4.0 transition now

If you are concerned by PCI DSS and you did not start the transitioning project to version 4.0, start today!

There are 53 new requirements for implementers and 11 more specifically for service providers. Among these, 13 requirements must be implemented as soon as March 31, 2024. The implementation of these changes and new requirements for assessors will take additional time on both parts and probably a trial period for the first few assessments. If you do not know where to begin, we recommend:

• to study the summary of differences between both versions,
• to conduct (or order) a gap analysis of your environment,
• as an assessor, to read the new ROC template (part I and appendices) and the FAQ for Items Noted For Improvement (INFIs).

The PCI DSS v4.0 transition timeline is final

The timeline of mandatory implementation of PCI DSS v4.0 will not be modified: no audit based on version 3.2.1 shall end after March 31, 2024, and all requirements will be applicable as soon as March 31, 2025.

Carefully choose your service providers

The choice of a service provider is essential in a PCI DSS environment. This choice should systematically involve the prior identification of functional and non-functional needs. The latter must include whether an attestation of compliance (AOC or SAQ) needs to be provided or not. This need should be discussed with your QSA.

Moreover, do not hesitate to ask offered solutions to be tested and confirm they meet the expected security requirements, always before any contract is concluded.

There is no such thing as SAQ A for service providers

Service providers only have two compliance reporting options: ROC or SAQ D (depending on their “level”, i.e. the number of card transactions they manage, or managed by their customers).

Even in the context of a SAQ A, service providers will have to be able to provide a SAQ D (thus including all requirements). Therefore, a “Merchant” AOC and any SAQ other than SAQ D is not acceptable for a service provider!

Talk with your QSA

Talk with your QSA about challenges or fundamental choices on the assessed environment as soon as possible: before the audit, before the implementation of solutions. The goal is to prevent nonconformities and thus the workload needed to fix them or, worse, to rollback the choices that cannot be compliant.

Security starts with proper planning

“Poor planning is not an excuse.” – Flawed planning resulting in nonconformity is often hard to correct, sometimes impossible. Considering actions to conduct throughout the year is an essential topic regarding compliance maintenance (thus a smooth assessment).

Subscribe to FAQ updates

Answers to Frequently Asked Questions (FAQ) articles are regularly released and updated by the PCI DSS and are a particularly interesting source of information about standards evolution and interpretation. If you are involved in any environment concerned by a PCI certification, we recommend that you subscribe to this newsletter and read it. Whether you are an assessor or assessed, they provide useful information that will sharpen your understanding of requirements.

Compliance is not security, it is a part of it

The security organisation based on a risk-oriented approach is not conflicting with compliance with requirement standards such as PCI DSS. Several conferences showed that compliance is often implemented in parallel, which is probably to be correlated with difficulties regarding compliance maintenance encountered by numerous organisations.

The good practices on information security organisation (e.g. the implementation of an information security management system as described in ISO/IEC 27001) are tools to help you improve security but also maintain compliance. From experience, the investment throughout the year is clearly visible when the assessment time comes.