PCI compliance: Is your qualified security assessor up to the task?

In a volatile payments landscape, enterprises are preparing for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 to expire on March 31, 2024. Taking its place will be the more robust PCI DSS version 4.0, a substantial update to the Standard designed to address the continually evolving threat landscape and changing payments systems. The new requirements are needed to help businesses prevent payment card data from being compromised or stolen. 

Created by the PCI Security Standards Council (SSC), a global entity that brings industry leaders—including American Express, Discover, JCB International, Mastercard, UnionPay and Visa—together to develop Standards that ensure the secure use of payment cards, PCI DSS v4.0 includes numerous changes that impact not only any organization that processes, transmits or stores payment card information, but also those within the larger payments ecosystem, including service providers and those that are contractually required to comply with PCI DSS. 

“Preparing for PCI DSS v4.0 should be a strategic imperative for any organization that possesses payment card data,” says Mark Stachowicz, a senior manager in Verizon Cyber Security Consulting services, which includes expert teams for security assurance, cyber defense, and the Verizon Threat Research Advisory Center, a specialized division within Verizon Consulting Services that helps enterprises mitigate threats to their networks, applications and devices. 

“Understanding the changes in the PCI DSS Standard is paramount for Qualified Security Assessors (QSAs) to do a comprehensive and effective assessment,” adds Stachowicz. “Now is the time to ask ‘Does my QSA understand the changes in the Standard and how to address them?’”

He notes that QSAs at Verizon, one of the longest-operating PCI services provider, recommend that CISOs explore several important questions, including: 

1. Are you confident that your current QSA understands the risks in your industry?  QSAs should bring strong domain expertise to their work and be knowledgeable of the unique security threats faced in specific industries, such as e-commerce, retail and healthcare.
2. Does your QSA provide actionable insights and recommendations, or just a compliance report? CISOs should evaluate the value they are getting from QSAs. Are they providing strategic guidance or simply providing a compliance report? An effective QSA is a partner who is able to help security and compliance teams better safeguard their systems, applications, devices and data.
3. Has your QSA been proactive in identifying potential improvements in your payment card security? A good QSA responds with timely action and a sense of urgency that is crucially important to prevent security breaches while providing actionable insights organizations can use to harden their defenses.  

Stachowicz notes that these questions are critically important because payment card data is highly sought after by cybercriminals, a fact reflected in Verizon’s 2023 Data Breach Investigations Report. The report cites that payment card data was compromised in 37% of breaches in 2022.

“The answers to these questions are crucially important to ensure that your assessment is as strong as possible,” he adds. “A proper assessment should rarely fail to uncover additional steps an enterprise should take to gain greater peace of mind.”

Stachowicz also recommends that IT leaders read Verizon’s collection of payment security research and, in particular, the recently released PSR 2023 Payment Security Report insights white paper, which explains the value of advanced PCI program management design.

“If your QSA is simply checking off boxes, they are doing you a disservice and will not be able to address the greater level of detail PCI DSS v4.0 requires,” he adds. 

“You want an expected partner who simplifies the complexity of compliance management with an economical solution—a PCI security program that delivers effective, predictable results in an efficient manner, faster and with fewer resources.”

Security and compliance teams can find more information on Verizon’s PCI DSS assessment here.