Step
#1:
Start
Now
The
most
important
step
in
your
organization’s
journey
to
PCI
DSS
v4.0
is
to
start
now.
The
PCI
DSS
v3.2.1
retirement
date
is
quickly
approaching
and
will
be
here
before
you
know
it.
The
sooner
you
understand
what
PCI
DSS
v4.0
means
for
your
organization,
the
sooner
you
can
start
planning
and
prioritizing
the
work
to
ensure
a
smooth
and
efficient
transition.
Step
#2:
Stay
Strong
As
your
organization
starts
implementing
changes
to
meet
PCI
DSS
v4.0,
it
is
important
to
not
let
any
v3.2.1
security
controls
slip.
Continue
to
maintain
and
monitor
all
your
existing
PCI
DSS
security
controls,
even
though
your
focus
might
be
on
implementing
new
requirements
for
version
4.0.
If
your
organization
is
new
to
PCI
DSS,
consider
using
the
defined
approach
for
version
4.0
as
it
provides
specific
directions
on
how
to
meet
security
objectives.
Even
if
you’re
familiar
with
PCI
DSS,
the
defined
requirements
and
testing
procedures
may
offer
a
clearer
transition
path
for
your
organization
than
the
customized
approach.
By
taking
the
necessary
steps
to
remain
vigilant
with
your
security
controls
while
preparing
for
v4.0,
your
organization
can
stay
strong
during
its
journey
to
meet
the
latest
version
of
the
Standard.
Step
#3:
Understand
the
Requirements
When
it
comes
to
understanding
the
changes
in
PCI
DSS
v4.0,
the
best
place
to
start
is
by
reading
the
PCI
DSS
v3.2.1
to
PCI
DSS
v4.0
Summary
of
Changes.
Located
in
the
PCI
SSC
Document
Library,
this
document
provides
a
valuable
summary
and
descriptions
of
the
changes
between
PCI
DSS
v3.2.1
and
v4.0.
It
also
includes
a
Summary
of
New
Requirements
table
that
lists
all
the
new
requirements
along
with
their
applicability
and
effective
dates.
In
addition
to
the
Summary
of
Changes,
there
is
a
lot
of
new
and
expanded
guidance
to
be
found
within
the
Standard
itself.
This
additional
guidance
helps
to
provide
a
clearer
understanding
of
the
requirements,
as
well
as
explaining
the
new
concepts
introduced
in
PCI
DSS
v4.0,
such
as
Targeted
Risk
Analyses
and
Network
Security
Controls.
Organizations
that
use
Self-Assessment
Questionnaires
(SAQs)
should
also
read
the
Standard,
as
the
detailed
guidance
provided
for
each
requirement
is
not
included
in
the
SAQ
documents.
There
have
also
been
updates
within
the
SAQs,
and
it
is
important
that
self-assessing
entities
read
their
corresponding
SAQ
to
understand
the
full
scope
of
changes.
Once
you
understand
the
version
4.0
requirements,
map
them
against
your
current
security
controls
and
analyze
the
impact
the
changes
may
have
on
your
organization.
You
might
find
that
you
already
meet
some
of
the
v4.0
requirements,
so
you
can
prioritize
your
transition
efforts
where
they
are
most
needed.
By
thoroughly
familiarizing
yourself
with
the
changes
in
PCI
DSS
v4.0,
your
organization
will
be
better
prepared
to
complete
a
smooth
and
efficient
transition.
Step
#4:
Choose
the
Right
Validation
When
transitioning
to
PCI
DSS
v4.0,
consider
which
validation
approach
is
right
for
your
organization.
There
are
two
options:
the
defined
approach
and
the
customized
approach.
The
defined
approach
follows
the
traditional
method
for
implementing
and
validating
PCI
DSS
requirements,
using
the
requirements
and
testing
procedures
stated
within
the
Standard.
The
customized
approach
allows
organizations
to
design
custom
security
controls
that
can
be
used
to
meet
the
requirement’s
customized
approach
objective.
If
you
are
considering
the
customized
approach,
be
sure
you
thoroughly
understand
what
is
required,
and
verify
that
your
implementation
meets
the
additional
risk
analysis
and
documentation
requirements
before
attempting
a
customized
approach
validation.
For
organizations
using
compensating
controls
to
meet
a
requirement
in
v3.2.1,
review
the
updated
requirements
and
validation
options
in
v4.0
to
determine
the
best
approach.
Ultimately,
selecting
the
right
validation
approach
will
depend
on
your
organization’s
security
strategy
and
approach
to
risk
management.
Carefully
consider
both
options
to
ensure
that
you
choose
the
right
approach
for
your
organization.
For
more
information
on
the
customized
approach,
read
the
Customized
Approach
blog
series
and
watch
Kandyce
Young
answer
stakeholder
questions
in
this
“Questions
with
the
Council”
video.
Step
#5:
Do
the
Work
When
doing
the
work,
be
sure
to
get
everyone
involved.
Communicate
your
transition
plan
across
all
departments
and
functions,
ensuring
that
everyone
knows
their
role
and
what
to
expect.
Clearly
define
roles
and
responsibilities
for
each
requirement.
Effective
project
management
is
critical
to
a
successful
transition.
This
includes
maintaining
accurate
project
plans,
defining
achievable
and
timely
milestones,
and
continually
tracking
your
progress.
Finally,
document
everything.
Establish
policies
and
procedures
to
support
ongoing
and
consistent
implementation
of
security
controls.
There
are
also
some
new
documentation
requirements
in
PCI
DSS
v4.0
that
you
might
need
to
address.
Step
#6:
Use
Trusted
Partners
It’s
essential
to
educate
and
train
your
staff
about
their
role
in
keeping
your
data
secure
and
meeting
PCI
DSS.
Identify
any
skills
gaps
and
train
your
teams
in
any
new
technologies
you
are
implementing.
This
is
especially
true
for
small
businesses,
where
every
team
member
will
need
to
be
trained
and
made
aware
of
their
role
in
the
transition.
When
implementing
security
controls,
partner
with
a
trusted
security
team.
Utilize
qualified
professionals
such
as
Payment
Card
Industry
Professionals
(PCIPs),
Internal
Security
Assessors
(ISAs)
and
Qualified
Security
Assessors
(QSAs).
These
qualified
individuals
can
support
the
consistent
and
proper
application
of
PCI
DSS
controls.
Use
technologies
and
solutions
that
have
been
tested
and
validated
against
security
standards
for
the
protection
of
payment
data.
PCI
SSC
maintains
listings
of
products
and
solutions
validated
to
PCI
SSC
standards,
including
Point-to-Point
Encryption
(P2PE)
Solutions,
Validated
Payment
Software,
and
Approved
PTS
Devices.
Step
#7:
Do
Your
Own
Assessments
The
best
way
to
prepare
for
a
PCI
DSS
assessment
is
to
do
your
own
assessments.
Preparing
for
an
assessment
should
begin
as
soon
as
possible;
the
more
time
invested
in
preparation,
the
more
efficient
and
successful
your
assessment
will
be.
Performing
gap
assessments
early
and
often
will
help
you
identify
the
areas
you
need
to
work
on.
Early
planning
is
key
to
being
able
to
address
any
gaps
before
a
formal
validation
is
required.
Regular
testing
will
also
confirm
whether
your
new
or
updated
security
controls
are
implemented
across
all
your
in-scope
systems
and
areas.
Finally,
it’s
important
to
establish
open
lines
of
communication
with
the
assessment
team
prior
to
the
assessment.
This
can
help
ensure
that
all
documentation
is
ready
and
that
any
questions
are
answered
prior
to
the
assessment
taking
place.
Step
#8:
Prioritize
Security
as
a
Continuous
Process
PCI
DSS
v4.0
is
designed
to
support
long-term,
continuous
processes
to
protect
payment
data.
The
additional
flexibility
provided
in
PCI
DSS
v4.0
allows
organizations
to
choose
security
controls
most
suited
to
their
business
and
security
needs.
Organizations
focused
on
maintaining
PCI
DSS
security
controls
year-round
can
more
readily
avoid
recurring
cycles
of
short-term
compliance
followed
by
security
lapses
and
short-term
remediation
each
time
they
have
an
assessment.
Regular
staff
training
and
awareness
sessions
should
be
conducted
to
help
employees
understand
the
importance
of
PCI
DSS
and
the
role
they
play
in
keeping
the
organization’s
payment
data
secure.
Building
security
into
business-as-usual
practices
and
engraining
them
as
part
of
organizational
culture
will
help
ensure
that,
if
control
failures
occur,
it
can
be
quickly
detected,
reported,
and
corrected.
By
focusing
on
security
as
a
continuous
process,
organizations
will
have
greater
assurance
in
their
PCI
DSS
v4.0
implementations
and
reduce
the
risk
of
security
incidents
and
breaches.
Additional
Resources
Additional
PCI
DSS
v4.0
resources
are
available
through
the
PCI
DSS
Resource
Hub.
Organizations
can
also
subscribe
to
the
PCI
Perspectives
Blog
to
stay
informed
of
updates
coming
from
PCI
SSC.
About Author
" title="
