The good news? PCI DSS 4.0 is out, but the adoption schedule for the new standard is quite generous. The better news? The PCI Security Council has decided to implement a tiered approach to adoption. The first will finalize when the previous version (3.2.1) is officially retired in 2024. The second, known as the “future dated” requirements, will have an additional year.
This article will cover the future-dated requirements from PCI DSS version 4.0.
Ransomware is one of the most significant security threats and perhaps one of the most recognizable threats in modern cybersecurity. These attacks cost businesses millions of dollars and can result in the loss of massive volumes of mission-critical information that supports business operations, national infrastructure, or government agencies. As part of the Cybersecurity Framework, the National Institute of Standards and Technology has released a new internal report known as the “Ransomware Report” (NISTIR 8374) to aid agencies and companies in resisting these threats.
A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems.
The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.”
You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at.