Unveiling PCI v4.0: Navigating Upcoming Changes Through Targeted Risk Assessments

As the upcoming date for PCI DSS v3.2.1 to be retired and v4.0 to transition in its place, organizations should keep in mind that significant changes are coming regarding how risk is correlated and integrated into PCI compliance. This summary will cover some  critical considerations for introducing targeted risk assessments (TRAs) with v4.0 and how companies can prepare for these changes.

Timeline for v4.0 Changes:

As seen in the timeline provided by the PCI Security Standards Council, while there is overlap between the transition from v3.2.1 to v4.0, some requirements, such as the new addition of targeted risk assessments (TRA), using only the Defined Approach, will not become mandatory until after March 31^st, 2025. Though it will not yet be required for another year, organizations that do not yet have a mature and integrated risk management program, risk analysis and scoring approach, or only conduct annual enterprise risk assessments will want to revisit how they are evaluating their in-scope PCI environment ahead of the requirement deadline to allow for any relevant resourcing or organization-wide changes to be implemented and tested.

For organizations implementing the newly available Customized Controls approach, where those control options are available, TRAs will be required before March 31^st, 2025, for any Customized Controls in place.

Templates and additional details for both Customized Controls and the continued Defined Approach are available in the PCI DSS documentation for 4.0.

Definitions Relevant to TRAs:

The Defined Approach is the standard methodology for meeting the requirements with explicit, detailed control systems and testing procedures that the assessor will use to confirm whether or not it is in place. It represents the default model followed in PCI DSS v3.2.1, where organizations can comply with the requirement or implement a compensating control given a legitimate constraint.

Given that companies have unique circumstances and varying degrees of risk exposure, certain controls explicitly stated in PCI DSS v.3.2.1 may not be suitable for all organizations. In situations where the “Defined Approach” is less effective or infeasible, and there is no legitimate constraint, the PCI Security Standards Council (SSC) has introduced the “Customized Approach”. This approach provides an alternative solutions to compliance, tailored to the specific needs and risk profiles of organizations.

The Customized Approach is designed for “security-mature” organizations with the capability and resources to analyze risk, design security controls commensurate with the risk, and continuously maintain the processes and documentation necessary to justify and validate the controls.

In PCI DSS v4.0, the majority of requirements now include both a “Defined Approach Requirement” and a “Customized Approach Objective”.

Definitions:

Targeted Risk Assessment – Replacing the v3.2.1 requirement for organization-wide risk assessments, TRAs fall under the category of a customized approach or for periodic requirements:

• Customized Approach – Only applicable for Record of Compliance (RoC) assessments and not Self-Assessment Questionnaires (SAQ), customized approach TRAs allow an organization, best for mature organizations with robust risk management and security programs in place, to demonstrate how it is meeting or exceeding the standards set by the PCI DSS requirements.

• Defining Activity for Periodic Requirements – Where no specific frequency is defined within the requirements, organizations are provided the flexibility to define and demonstrate how they are performing a targeted risk assessment of the asset, system, components, and other related resources interacting with the cardholder environment. While full templates have not yet been developed for organizations, samples have been created by the PCI Security Standards Council to help visualize what will be required or each PCI requirement that falls under these criteria:

Requirements for Using Customized Approach

There are strict criteria for when an entity wants to use the customized approach to satisfy a PCI DSS requirement. The criteria include the following:

• The entity must document and maintain evidence about each customized control, including all information in the Controls Matrix template.
• The entity must perform and document a “targeted risk analysis” for each customized control, including all information specified in the targeted risk analysis template.
• The entity must perform testing of each customized control to prove its effectiveness and document testing performed, methods used, what was tested, when the testing was performed, and the testing results in the control matrix.
• The entity must complete a controls matrix, targeted risk analysis, testing evidence, and evidence of customized control effectiveness to the assessor.

Critical Considerations for TRAs:

The targeted risk analysis is another significant part of the customized approach. It  defines the risk, evaluates the effect on security if the defined requirement is not met, and describes how the entity has determined that the controls provide at least an equivalent level of protection as provided by the defined PCI DSS requirement. The targeted risk analysis requires answers to many of the same questions as the customized approach assessment, with a much larger emphasis on mischief actors and threat actors.

Organizations with existing organization-wide risk assessment approaches to meet PCI compliance will want to review and determine whether the enterprise-wide scoring, evaluation, and tracking method can be leveraged to meet the upcoming changes in v4.0. Suppose teams managing enterprise risk and PCI-related activities are segmented or siloed.In that case, this will likely need to be revisited and adjusted to ensure consistency and a verifiable risk evaluation and remediation trial to meet compliance where TRAs will be applicable.

Appendix E2 of the PCI DSS v4.0 document contains a sample targeted risk analysis template. Although an entity is not required to use this sample matrix, it is  responsible for maintaining all information prompted by the sample template is maintained by the entity.

Moving forward, TRAs will be focused more granularly on assets, the related threats, and how these can affect the outcomes related to PCI DSS requirements. Organizations familiar with NIST-based risk assessments and/or the MITRE Attack Framework will be familiar with this rationale, though it will need to be translated through the lens of PCI-specific requirements, rather than what may have been an annual enterprise risk assessment.

TRA documentation whether an organization uses the periodic or custom approach will need to be reviewed and updated annually and ready for Qualified Security Assessors (QSAs) to review and test where appropriate.

Example of Requirements and Testing Procedures Coming with v4.0

For Targeted Risk Analysis

For Customized Approach:

How Tevora Can Help:

For organizations unsure of how they can leverage their existing risk management program to include and translate to the upcoming v4.0 changes related to TRAs, Tevora can assist in building, enhancing, and working with an organization’s relevant stakeholders from each team to create a unified approach. Where resources and strategies   exist, Tevora will evaluate and analyze what can be leveraged to reduce redundancy and optimize where appropriate.

New approaches to meet the unique requirements related to PCI DSS and its intersection with risk analysis, risk strategy, and asset threat evaluation will include a collaborative approach when it comes time for QSAs to review an organization’s evidence and verifiable proof of performing and updating their TRAs as defined in v4.0.

---

Links

PCI Timeline

PCI-DSS v4.0: Is the Customized Approach Right for Your Organization

PCI DSS v4.x Sample Templates to Support Customized Approach

PCI-DSS v4.x Targeted Risk Analysis Guidance

PCI DSS v4.x Sample Template: Targeted Risk Analysis for Activity Frequency