As a PCI QSA, I have answered numerous questions about the new PC DSS Version 4. With over 500 total controls, and at least 100 of them unique to this version, it is not possilbe to approach this topic casually.

I have personally invested in days of training and hours of updates for this version of DSS, and it is unrealistic for most to devote as much time as I have. There are many (somewhat) helpful papers and blogs that don’t dive in far enough, each providing a small piece to an enormous puzzle.

Is there a ‘Goldilocks’ resource providing ‘just right’ coverage that can be quickly read and reused in implementation? I have found such a thing, and it is this book, The Definitive Guide to PCI DSS Version 4 - Documentation, Compliance, and Management.

About This Book

Title: "The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management"

Authors:

• Arthur B. Cooper Jr.
• Jeff Hall
• David Mundhenk
• Ben Rothke

Publisher: Apress

Date Published: May 25, 2023

Page Count: 277

Format: Paperback

Genre: Industry-Specific

Source: Pre-purchased from Amazon

Price: $41 USD

Synopsis: https://www.amazon.com/gp/product/1484292871

Audience for the Book

This book is useful for those looking to implement PCI DSS, and even to those auditing PCI DSS. It is not a comprehensive guide. Instead, it is a Goldilocks ‘just right’ sized ‘how to’ guide. This book can be read in a few hours and then referenced repeatedly while implementing the new standard which is required by March 31, 2024.

I find this book to be uniquely useful, and I believe others will too. The new PCI DSS version 4.0, with over 500 control points is significantly more demanding than the previous version (3.2.1). No number of blogs or published articles can help the typical organization fully understand the wide-reaching impact of this new version. For most, sending several people or teams to a week of training on a new version of PCI DSS isn’t an option. How then to prepare? As a PCI QSA, my predictable answer is to have a QSA to discover your gaps with the PCI DSS version 4.0.

With or without the assistance of a QSA, this book could be valuable for just about anyone preparing for the new DSS. When used side-by-side with the PCI DSS, it can significantly help to identify the version changes most likely to impact compliance efforts and begin remediation.

The Goldilocks 'just right' amount of detail is extremely valuable for those unable to make bigger investments in training. Even with training coming up, this book would be a fantastic primer and allow for much better questions than by any other means I have seen. It conveys in a few hours what one could spend days studying.

The Authors' Experiences

In the spirit of full disclosure, this book was coauthored by my TrustedSec teammate, Art "Coop" Cooper. Coop and his coauthors bring 100+ years of combined experience in Information Security, and they worked on payment security before the PCI DSS standards even existed. This prehistory is detailed with revealing first-person perspectives. The authors represent three perspectives: (1) implementer of security; (2) PCI QSA; and (3) PCI DSS trainer with the PCI Security Standards Council (PCI SSC). The authors reveal motives behind many historic PCI SSC actions that could only come from having worn so many hats.

These authors have seen every possible security misconception and trend, and this book shares many anecdotes—the colorful origin of things that are not shared within the weeklong QSA training. They especially share misconceptions or failings that they have seen at many, many organizations. For example, frequent sections called 'Pitfalls' describe common pitfalls, with the first being network and data flow diagrams. I can verify that many organizations struggle with these.

Another shared misconception is what cloud infrastructure means to PCI DSS scoping and PCI DSS responsibilities shared with the cloud solutions provider. While most reading this blog post are familiar with those who confidently claim, "It is in the cloud, so it is secure," this book details how this commonly fails PCI DSS compliance and how to identify the compliance requirements. All. Good. Stuff.

Conquering Fails, Etc.

'Famous Fails' are another repeated section that provides relatable retelling of the failings with which most of us are familiar. By describing those fails in PCI DSS control terms, they become an easy-to-understand talking point for driving to specific PCI DSS requirements.

Sometimes, classic compliance challenges unrelated to PCI DSS version 4.0 are mentioned. For example, an exploration of MPLS as a private versus public network was explored, with the final verdict being that MPLS configurations must support the scoping designation sought.

Most organizations do not yet have adequate formalized documentation (policies, standards, procedures) for the new PCI DSS version 4.0. This book wonderfully details these needs, the intent of these controls, and practical ways of completing them successfully.

The book is organized to cover one PCI DSS requirement per chapter then has additional chapters for special topics. Requirement chapters each start by listing the evidence that must be provided to test that requirement. This simple list can be a time saver as the reader uses it to calculate the effort and cost for supporting PCI DSS compliance. This is true whether the reader then presents that evidence to a QSA, ISA, or self-attests. Yet again, this book provides Goldilocks value for those not dedicating their life to the PCI DSS.

Notable Chapters and Pages

While the book highlights all changes across all requirements of the DSS, I highlight below the things I found most notable. Your list will undoubtedly be different than mine.

With many changes in this DSS for IAM, the chapter about Requirement 7 includes much narrative and situational guidance.

Requirement 10 is covered lightly. At only 277 pages, there was no room to tackle more difficult questions like "Just how available must immediately available logs be?" If such questions were answered, this would be a 1,000 page book or twice as long as the new DSS, so excluding questions like these are understandable. This particular question is a long-standing one and not new for PCI DSS version 4.0.

Requirement 12 is covered well. I initially thought risk assessments were not covered adequately, but they received their own chapter and so were covered very well.

While being polite overall, shots are fired! In Chapter Five, frustration is evident in the card brands not always holding themselves to the PCI DSS requirements for secure transmission of CHD.

And for more? Page 212 reveals how even PCI QSAs debate some specific points of scoping. It is rare to find this kind of honesty within the industry, especially from an authoritative source.

Page 217 reinforces the idea that very few merchants have a use for storing CHD, and a compelling case is made for the cost of compliance.

Page 239 details the use and meaning of ‘mischief’ for Targeted Risk Analysis (TRA). Both mischief and TRAs are new to this DSS and so crucial to its implementation.

Chapter 14 details PCI Third-Party Service Providers (TPSPs) and how their services will need to be managed more precisely. Practical discussion of the necessary shared responsibilities matrix is made.

The customized approach is new to the DSS and is very commonly confused with the existing compensating controls approach. The differences in application and approach are thoroughly detailed in Chapter 16.

Whew, it is a lot of useful material for only a single-day read!

Summary

The PCI DSS version 4.0 was released on March 31, 2022. It took time for supporting materials and training to be published, and many are published by the PSC in their Document Library: https://www.pcisecuritystandards.org/document_library/.

The PCI DSS version 4.0 is a major change from the prior version, and every organization I reviewed has had to adapt in order to become compliant with it. This even includes organizations already compliant with the previous version.

Also, there is a real challenge with education. Those of us that are QSAs went through multiple days of training for just this version on top of the weeklong and annual retraining. We receive and participate in community updates and forums in order to stay abreast of many changes and the intent of those changes. We create and tune our tools to help our clients get their arms around it. It is our job, and that investment makes sense in how much reuse it gets for our customers.

Whatever tools or partners you use, the time is now to understand what changes impact your compliance…and plan on making necessary changes ASAP! Except for some future dated requirements, the compliance operations for this version must be in place by March 31, 2024.

But first, maybe enjoy a good book. ;)