You know, everyone's going through this together, everyone's going to have a number of questions. It's just certainly in everyone's opportunity to really look at this as early as they can, because the sooner that we understand the challenges and the opportunities that you have to overcome, the better, you can use the runway leading into the time that it becomes effective.

Welcome to Focus, a podcast dedicated to the business of higher education. I'm your host, Heather Richmond, and we will be exploring the challenges and opportunities facing today's higher learning institutions. In today's episode, we are joined by Walid Barakat, the Senior Vice President of IT Governance, Risk and Compliance at Global Payments to discuss the new PCI DSS 4.0, and its impact on the higher ed community. Hi Walid, thanks for spending some time with us today.

Looking forward to the conversation Heather. 

Great. Well, you know, we're here to talk about the new PCI DSS 4.0, but before we dive into that, can you give the audience a quick overview of your background?

Sure, I'd be happy to. I've had the pleasure of really investing the majority of my career with Global Payments. And I had the opportunity to wear a few different hats. Back in 2004, I initially started out in the quality assurance department testing point of sale applications, then moved into application migration planning. And then for the last seven years have been part of the governance risk and compliance team. Currently Senior Vice President with approximately 30 team members across four different towers and responsibility, including PCI compliance, merchant compliance, IT risks and cloud business.

Well, it sounds like you're the right guy to talk about PCI compliance today. 

Yeah, I appreciate that. I had a few different opportunities to gain some unique experiences, both in our growing organization and from the merchant perspective. Yeah, absolutely.

Well, first, let's talk about what PCI compliance is and why it's important for our listeners.

The PCI Council's approach and defining a common security standard for organizations which engage in card processing is great, because it provides a consistent approach in validating security controls, that's recognized globally. And that common standard is a great yardstick for organizations to understand their level of maturity and how it applies universally.

Well, I think it really helps. A lot of times, I know that we want to be in compliance, but if we don't have the guidelines or rules to follow, then we may not know what we're doing. So that makes it a really nice place.

It does. And the opportunity, the way the standard is written to partner with an assessor to understand and learn from their experience as well and look at advisements that they have and maturing your own program, I think is unique that PCI offers you.

Yeah, it really does. So, you know, we've been hearing a lot about the upcoming 4.0 framework, but now it's here. So what is PCI DSS 4.0. And how does it differ from the previous frameworks? Can you expand on that?

Sure. It's a pretty significant rewrite of the existing 3.2.1 standard. And that's been around for approximately 10 years with minor revisions to it. So it does represent a pretty significant change. The council has really looked at this for a number of years solicited a volume of feedback from the PCI community and incorporated that into this public standard. And ultimately, what they've decided to do is really revamped the entire document. It's a full rewrite. It's restructured in terms of the way that the requirements are numbered and ordered. They've broken out certain requirements to dissect them and be more specific about what the intent behind those requirements is and how to validate them. And there are some met new requirements to really drive best practices, recommendations, and enhanced accountability for organizations to maintain compliance year round, not just when it's time for the assessment, or working directly with an assessor. So it really is a fresh new look at that security standard, in light of how technologies are continuing to evolve and change, our payment channels are changing. And of course, the threats that we all face from day to day are continuing to evolve.

And it's always more than just checking the boxes of compliance on the standard, right? The goal of it is to ensure security year round, right?

Yeah, ultimately, when you do sign off on your report on compliance or your self-assessment questionnaire, it really is an attestation that says, you know, this is a snapshot in time, but we are intending to meet these requirements year round. And that demonstration of those business as usual processes are certainly something that the assessor really seeks to understand when he's going through the environment when he's looking at the evidence. And most certainly, when he's talking to people, he wants to know that there aren't specific, you know, rehearsed answers that stakeholders are providing them, but are more just giving them an understanding of their just day to day activities that incorporate compliance and security controls.

Yeah, it's really, you know, really important to think about for our campuses and really maintain the reputation and hopefully not having breaches, and making sure you have security and compliance. And a lot of times with lots of merchants across a campus, it does get confusing to understand, you know, ‘what all do I have to do to say I'm compliant?’ So being able to have these rules in place and being able to follow it, especially with sounds like some of the ways they've done the restructuring has made it a little bit clearer to understand would you say?

Yeah, there's certainly more testing guidance that's provided. But there's also the flexibility in the event that you do have a unique environment with some unique technologies that may meet the intensity of control, and maybe a nonspecific way that's being called out. It gives you that latitude to work with your assessor to educate them on what your security risk posture is, how you've sought to meet it, the processes, the people and the technologies that you put in place. And the new standard really gives you that opportunity to tailor your validation approach to your environment, again, through your partnership with your assessor. 

Yeah, that's really great. I like that it's able to tailor because not all merchants are the same. And especially when it comes to college campus. They're all different for sure. So what's the timing? I know that they like to always phase in, like, here are the requirements and here's how much time you have to absorb it and then actually comply. So what's the timing for 4.0 going into effect?

Yeah, the council is really taking into account again, a lot of feedback going through the development of the standard. And they understand that organizations have a number of priorities that they're seeking to maintain, and introducing a new standard is something that is very challenging to accommodate. So they've offered a phased in approach for these requirements. Beginning in March 2024, there are a small set of the requirements that become effective, okay, and those words are focused on defining roles and responsibilities, and your higher level risk posture, that then sets you up for the remaining requirements that become effective in March of 2025. And when you do start digging into those requirements, you start to understand why it's been phased in this way, and how it actually helps organizations to prepare to accommodate all of those particular requirements.

Yeah, that's great. That sounds like there's some time then to really, you know, we're talking a couple of years or a little less than that, to really get up to speed on what we have to do and the roles, responsibilities, and kind of really gives the, you know, our schools this year and next year to really be prepared to line up so but it does sound like there's a lot to understand, especially since it's all new. So where do you suggest, you know, really recommend getting started to understand how this is going to impact a campus?

Yeah, there's, there's certainly a lot to digest there. And so I would encourage all the schools out there and universities to take advantage of the time between now and 2024, to really to partner with your assessor to really understand what your current security posture is, and look at their guidance that they may be able to offer you as they've worked with you in prior years. To see where you might need to provide additional emphasis and maturity into controls. That partnership again, should be a pretty transparent opportunity to look at your upcoming assessment as an opportunity to get through the current assessment while looking at a different lens for what 4.0 could mean. And another opportunity that really should be examined as well is the opportunity to bring on ISA training to some team members that are already embedded in the organization. So what an ISA is, is a PCI Council program, an internal security assessor, which provides that training to someone on staff gives them the understanding of the standard itself, the overall PCI process, what it takes to create these reports on compliance, gives them the ins and outs of what PCI really is all about. And if you have someone like that on staff, it gives you the advantage to apply that knowledge into your environment and being able to leverage that and continuing to help them lead the organization in understanding what changes need to be made, again, gives you that tailored aspect. What does 4.0 mean to me, specifically to how we process? So those are two ways that I would suggest approaching it.

That makes a lot of sense. So just kind of thinking about, would you say that most organizations either do have or should have an ISO? Or is that, you know, something that's new or should be looked upon as a strategy?

I certainly would promote it. I've seen a lot of value in my own personal observations there, both in my company, as well as working with assessors and seeing how they partner directly with ISIS. When the QSA, the assessor comes on site, and they find someone that they can speak that common knowledge with, you see and instant bond, and you see things start to really move forward with less friction, with greater understanding. Because there's always a learning curve for assessors to come into an environment. But when they have someone that they know has gone through the training, they can communicate really what their intent is, what types of evidence that they're looking for. And that person that may be an ISA can easily translate how that's met in their environment.

Yeah, that makes a lot of sense. I know a lot of our campuses do have their own version of PCI counsel, right, or they have a team that really comes together to make sure and ensure compliance and read through the rules. And so it sounds like it would be beneficial to take that next step if they haven't already, and have somebody that's on that committee become an ISA, potentially, and like you said, speaking that common language when you have the assessor come to campus and be like, I don't know what you're talking about.

Yeah, absolutely. And the added benefit when it comes to 4.0, is the council coming out and saying, for anyone who is an ISA, they will offer free 4.0 transition training, essentially saying, if you understand what PCI 3.2.1 is, the current version today, we will train you on how to understand what 4.0 means. So again, having someone on your staff that can translate it into what it looks like in your day to day is a really great advantage to be able to have leading into this.

Yeah, that is really great. And so really just a matter of working with PCI counsel to first, you would define that person who will be your ISA, they would do training to become an ISA and then also be able to get the free training for 4.0. Is that what I understood?

Yeah, that's exactly it. And they would also be made aware of different types of documentation and support presentations and recordings and webinars that the PCI Council will offer from time to time to continue to encourage adoption and understanding about the overall process. 

I think that's wonderful. Again, we talked to some of our schools, and they do, you know, for their merchants or on campus try to have a training that they have every year. And so being able to have those resources would be really helpful. So that's great to know. Thanks for letting me know that. So it sounds like there's you know, really with 4.0, there's a lot more responsibility and ownership placed on the merchants. So can I think, again, about higher education and a campus? What would the approach be that you'd recommend?

In terms of understanding your own accountabilities, it's certainly not, this is a great chance to really review your security posture, really look at how controls are being met today. And really ensuring that there are defined accountabilities between various teams and departments for, again the BAU, the business's usual ongoing day to day tasks, of who's meeting those specific security controls. Looking through that ensuring that everyone's on the same page, so that when things start to evolve, whether within a merchants environment or a standard itself, everyone understands their own roles and responsibilities and how they should partner together to really achieve that overall compliance view.

Yeah, that makes a lot of sense. And I know that, obviously, through the years, our schools have definitely tried to minimize their footprint and working with great partners, but what's left for them to do or is there something that's changing too, because of the new framework?

There's always the opportunity to minimize the security profile, the risk surface area that attackers can, can try to penetrate. And so the council has always been a proponent of segmentation. And, in the most common form, really, multi factor authentication is really become the standard for both PCI applications and non PCI applications. And in our own day to day with almost every application on my phone, it's asking me for some forms MFA. It really does help provide defining line between an external footprint and your internal PCI environment. So being able to ensure that you've got MFA in place that you've got appropriate security controls and firewalls, and that perimeter locked down and as appropriately documented as possible, really does minimize the scope and threat vector, not just for your PCI scope and how you're being assessed, but for your overall security posture.

Right. So you're telling me that we can let all the schools know all that pain last year, getting MFA implemented and communicated out to all their users was worth it, right?

Absolutely. And that's certainly a control that has become the standard across a number of different industries.

Absolutely. Like you said, you can you see it everywhere now. And I think even thinking about a college campus, because we're so used to that now as consumers or users that if I were to go to a campus, and I wasn't asked for it, you know, to put in my text or have a two factor, I'd be like, what's going on here? So thinking about all these changes, and I get a lot of the things have already happened from a technology standpoint, that they've been able to now say, ‘Hey, we've done this,’ what advice do you have for any organizations that are really navigating all of these changes?

It's really looking at it from within their own organization within their own business. Again, going back to the roles and responsibilities, how they apply to a full compliance program, how they're able to tell a full story about their incorporation of their governance, that's applied in the day to day role. Those organizations that have documentation that have that understanding, can really provide a cohesive understanding to an assessor and to themselves as well to, again, understand what these new requirements actually mean, and how they're intending to meet it. The council is really ramping up a lot of awareness documentation, in the next few months, really beginning at the end of June, where they're going to be offering that that ISA training that we spoke about earlier. So I would encourage, you know, everyone in the community to be make good use of that documentation. When there are questions that do arise, there are forums to provide those questions back to the council. Let's also partner again with the assessor. For those of the audience that maybe have long term partnerships with assessors, they've got a good intimate understanding of the environment. So just having frank conversations with them to say, we know that this new standard is coming and started to take a look at it, we've got some initial understanding about what we're going to do, but we'd like to have a dialogue. I would encourage organizations to really maybe set aside some time before the assessment so that you're not under the pressure of meeting this year's particular assessment to just start and see what guidance the assessor may offer, because a lot of them are writing their own white papers and have their own game plans that they're, they're more than happy to offer.

Yeah, that's a really great idea. I think the more communication it sounded like in general, the better so from having those meetings and conversations with the assessor to the documentation. That's so key. And I think, probably, especially as there's turnover, and there's transition to be able to have everything documented so someone could come in and really, you know, not skip a beat is really probably what they're thinking, right?

Yeah, that's exactly it. It's going to be a challenge for everyone that overcome this. And just having an open dialogue as early as possible. I think we'll get everyone comfortable with it sooner rather than later.

For sure. Now, you were saying, so the PCI Council they are going to provide some of these resources. Now that's something that anybody has access to go out on the website or is there do you have to be an ISA to get access or do you have a little bit information on that?

Yeah, first and foremost, the council has made the new 4.0 standard available to everyone. And that was first published at the end of March. So anyone who accesses the PCI Council website simply goes in, checks a few boxes, confirms how they're using the documentation, and they're able to download the entire document. It also provides a summary of changes, comparison to the prior standard, again, which is cliff notes if you will, for rapid kind of understanding. And they're going to continue to publish awareness documentation there about how to adopt it. Some common questions that I'm sure they're going to continue to receive. And probably some more specific information, I think as time goes on, and they continue to acquire more feedback. So you do not have to be an ISA. Just simply, really anyone that accesses that public website should be able to access the documentation.

That's wonderful. And so yeah, thanks so much about that, we'll make sure that we have those resources attached to the description in this episode. So anybody listening, we will make it easy for you as well to go and access those links to get this information. Anything else that you think again, can going into 4.0 that’s important to understand or know that you want to share today?

I would just say that, you know, everyone's going through this together, everyone's going to have a number of questions. It's just certainly in everyone's opportunity to really look at this as early as they can. To have open frank conversations again, internally and with their assessor. Because the sooner that you understand the challenges and the opportunities that you have to overcome, the better you can use the runway leading into the time that it becomes effective.

Absolutely. That sounds great. Well Walid, thank you so much for lending your expertise today. On this topic. We really appreciate your insights. Like you said, we're all in this together. 

Exactly, thank you, it’s been my pleasure. 

Thanks for tuning in to this episode of Focus. Don't forget to subscribe so you can stay up to date on the business of higher education. For more information, check us out at touchnet.com.