When talking PCI, it’s tempting to look at the numbers: PCI 4.0 introduces 53 new requirements that apply to all entities and 11 additional requirements that apply to service providers. 13 of these new requirements become effective immediately after March of this year. What the numbers won’t tell you, however, is that in many cases compliance with a single requirement imposes such a significant effort on large organizations that it may take several years to prove compliant.
“PCI is not a scale. It’s a pass/fail,” warns Josh Kennedy, Senior Security Engineer at W. Capra. “For organizations that don’t have dedicated PCI teams, compliance becomes especially burdensome. Yet failure can incur substantial fines, a higher cost of payment card acceptance, and the continued burden of complying with new and existing requirements.”
PCI Is Not Only Meeting Requirements, But Proving You Meet Them
For many organizations, it may not be clear where within the organization the burden of PCI compliance lives. For example, a given organization may assume that their IT team will consider PCI requirements into their scoping and planning processes. In practice, however, many IT resources retain expertise in subject domains like networking or coding— they’re not often PCI SMEs who can understand the nuances of PCI requirements to a level that allows them to carry the burden of proving compliance. “PCI compliance is not only about meeting requirements, but proving compliance,” advises Shelli Moring, PCI Lead at W. Capra. “Much of PCI compliance relies on the ability to produce evidence. Rather than place this burden on your IT team, it is best to have a resource with existing PCI expertise to advise on payment-related initiatives with PCI scoping in mind.”
Though we’ve isolated IT in the example above, PCI 4.0 requires building RACI matrices to identify roles and responsibilities that span across 11 requirements. These RACI matrices require cross-functional collaboration to document responsibilities and obtain cross-functional signoff. Ultimately, this means that someone in your organization must remain responsible for ensuring your internal functions are communicating about PCI considerations and challenges effectively.
The Time Isn’t Now – It Was Six Months Ago
Even if organizational hurdles have been cleared, it’s critical for every organization to analyze what gaps they need to fill to prove compliance with PCI 4.0. Whether you’re a merchant or a service provider (or both), the impact from these changes will require remediation, and you can’t retroactively comply with PCI. Kennedy elaborates with an example, “PCI 4.0 requires all vendors of any size to use an approved scanning vendor on a quarterly basis. You can’t retroactively scan your environment, which is one reason why you need to understand your gaps today so you can prioritize how to address them. The time isn’t now— it was six months ago.”
For those who have not yet meaningfully embarked on PCI 4.0 initiatives, the right go-forward approach can position your business for compliance. As a core business driver with impacts to operations, security, and technology, PCI 4.0 compliance requires cross-functional coordination and organizational know-how. Compliance is not about reading regulations— it’s about understanding how the regulations apply to your business and how you should follow them. “W. Capra not only has a team with expertise in PCI, but they’re also intricately involved in the payment card industry,” explains Moring. “We know the hardware and we know payments. We have significant hands-on experience performing PCI assessments for Level 1 merchants, which has helped us to adopt our proven methodology to new organizations with ease.”