It’s that time of the year (or at least it was) when we earnestly weigh pushing tasks to next year, with a focus on what might be coming across our task lists. And perhaps you are looking at that PCI DSS 4.0 gap assessment as something to get done prior to 2024 budgeting season.
Early in the year might be the best time to do this gap assessment. If your QSA or consulting firm is comfortable including PCI DSS 4.0 findings into your normal 3.2.1 assessment, it would be worth the extra time and effort to complete.
Don’t forget that PCI DSS 4.0 is not something we need to comply with today, but it is something we need to be sure we are planning for in our budget cycles and 2024 planning. Of course we’re aware that we haven’t even started 2023 yet, but I’d be willing to bet that the changes you need to make to comply with PCI DSS 4.0 will require capital investment and hopefully force larger architecture and flow discussions as this is a key opportunity to reduce scope and outsource more. Some key areas you may need to consider adding budgets for:
First, definitely the assessment cost. Work with your consulting firms on this, but we expect anywhere from a 50% to 100% increase. Then begin looking at moving Compensating Controls to the Customized Approach. The writing on the wall is that compensating controls will go away. Secure funding for anti-phishing controls, JavaScript skimmer mitigation, and expanded vulnerability scanning through authenticated scans. Finally, review all your inventories to ensure they are properly captured.
That is just a teaser list (potentially capturing the largest budgetary increases you may face) and does not by any means include all the times you need to consider. If you want to learn more, feel free to reach out to us and we can help!
We’d love to hear more from you! Don’t forget to participate in our GitHub Community! We’ve got tons of useful links there, including a link to join our Discord server as well for real-time chats about PCI DSS.