The Retail & Hospitality ISAC Podcast 5.10.23
Ep 27 | 5.10.23

Hyatt’s CISO & PCI DSS v4.0


[ Music ]

Luke Vander Linden: Hello, everybody. This is Luke Vander Linden, Vice President of Membership and Marketing at the Retail and Hospitality Information Sharing and Analysis Center. And this is the RH-ISAC podcast.

[ Music ]

Luke Vander Linden: Every once in a while, the stars align. And you get an opportunity for not one but two amazing podcast segments in one episode. And, on top of that, one of those segments is great enough and long enough to use over two episodes. That's the situation we find ourselves in for this episode. And I know not all of you are probably as excited as I am, but having access to great content share makes our jobs easier. Now, a little inside baseball. Obviously, these two segments were RH-ISAC. We're not coming to you live. Sorry to disappoint. But you're going to want to listen anyway. Coming up first, I had the opportunity to sit down with Ben Vaughn. Ben wears a lot of hats in the world of the RH-ISAC. Obviously, his main hat is a CISO of Hyatt Hotels. For me, he's also an RH-ISAC board member, a member of our Membership and Engagement Committee, and he's always very supportive of what we do and gives us great counsel. Ben was also our CISO of the Year in 2022, a very well-deserved recognition by his peers. He and I sat down for a wide-ranging discussion, touching on everything from the importance of diversity to Ben's approach to cyber insurance. Today, you'll hear the first half of that conversation. And then, speaking of firsts, a first for us, granted this podcast has only been around a year and a half or so but, still, I'm cohosting a segment with the host of another podcast that will also appear on their podcast. The topic is the rollout of PCI DSS 4.0, and that other podcast is the PCI Council's Coffee With the Council podcast. Sounds complicated but it wasn't. And I think the discussion with tips about the rollout and not only from the folks at PCI but also from Target and how they approached it was terrific and will make for good listening. As always, please let us know what you think about either segment or something totally unrelated. Shoot me an email at to share your thoughts. Or, if you're a member, find me on Slack or Member Exchange.

[ Music ]

Luke Vander Linden: All right. I am joined by Ben Vaughn, the Senior VP and CISO at Hyatt. Welcome to the podcast, Ben.

Ben Vaughn: My gosh. Luke, thank you. This is the first time I've ever done this. So for anybody listening, just know that I have no idea what I'm doing, and I'll try my best to stay out of trouble and be interesting to you all.

Luke Vander Linden: So far, so good. I think you're off to a great start.

Ben Vaughn: Okay. Good.

Luke Vander Linden: So tell us, Ben, how is everything at the world of Hyatt?

Ben Vaughn: Well, everything's going great. We had a very difficult period during the pandemic. You know, obviously, when you run hotels and people are in their houses, it's a little challenging for a business like ours. But we have come out of that really on steaming forward on all fronts. If you look at our financials the last couple of quarters, we've been performing very well from a financial perspective. But I think, more than that, we have been meeting and exceeding our guests needs on a daily basis across the globe. We have hotels open everywhere now, with China largely reopening. And a lot of the world, Luke, has decided to go on vacation.

Luke Vander Linden: Yeah.

Ben Vaughn: And we are - we are there to help you do that. We did acquire a company in late 2021 called Apple Leisure Group, which made Hyatt, if I'm not mistaken, the world's largest operator of all-inclusive hotels and resorts. It's a new line of business or something. I suppose being - having that big of a footprint in all-inclusives is new for us. And it's something really exciting, all these new brands that we've added the last couple years.

Luke Vander Linden: And I imagine a challenge to integrate all these disparate parts that may not have had such great cybersecurity practices into the practice that you've built there.

Ben Vaughn: I think cybersecurity is always going to be a challenge for any organization. It will always be more challenging, I think, for the hospitality field just because of the broad geographical footprint. I think we operate in probably 19 time zones, six of the seven continents. We're still working on one in Antarctica. Someday. Integrating, you know, two companies is always going to be a challenge, as well, because you have two cultures around security, two sets of tools that need to be integrated, and so on. But I'm very proud of the team's efforts and everything that we've accomplished, as you can see reflected in everything from colleague engagement scores to cybersecurity premiums, cybersecurity insurance premiums.

Luke Vander Linden: Oh, well, that's going to be a topic that we - we go over. It's on my list. But let's start a little bit more broadly. And, you know, as a leader, I think we can agree that you're a successful leader in what you do. What do you use to guide how you approach cybersecurity from a - from a broad standpoint?

Ben Vaughn: Well, I don't know I would say I'm a successful leader. I think I muddle along and then do a fairly good job of keeping our guests and our colleagues safe. But there are a series of guiding principles that we have inside the department that - that we as a team have thought about, talked about, that we try to put into practice every day, about six of them. And those six principles, I think, put into action - safety through care, no half measures, don't juke the stats, be different, stay close, and the Hyatt way - have been one of the major sources of success for us so far.

Luke Vander Linden: Would you mind going through those one by one, since you have them so beautifully laid out, and let us know what they mean.

Ben Vaughn: Sure. I'll warn you there's some pop culture references in there.

Luke Vander Linden: Uh-oh. I'm going to be tested.

Ben Vaughn: Spoiler alert for a couple of these if you haven't seen the TV shows. You'll want to change - fast forward a couple of minutes but.

Luke Vander Linden: It's they're '80s and '90s references, I might get them. But today I might not. But we'll see.

Ben Vaughn: Fortunately they are not. But the first one for us is safety through care. And that is care is the number one driving thing at Hyatt.

Luke Vander Linden: You're in a care business.

Ben Vaughn: Well, yeah. You're absolutely in a care business. But, for us, it's something so much more than that. We - our corporate purpose, we care for people so they can be their best. And cybersecurity is such a compatible mission with that purpose because how can you say that you're caring for your guests if you're losing their stuff, right? We feel terrible if we spill orange juice on a guest at breakfast because why is someone at a hotel? They're at a hotel because they're having a really important event in their life. They're on vacation. They're there for a job interview, a family reunion, any number of important situations or why you might find yourself in a hotel. And if we disservice you at breakfast, we feel terrible about that. We want to make that right. And someone in the leadership at the company once said to me, and it was really impactful to me, they said, Well, it seems to me that, by being bad at cybersecurity, we can scale up disservice, that instead of spilling orange juice on one guest, you can spill orange juice on several million all at once. That was really impactful to me. And so we have sought over the last seven years to tie everything we do in the department to caring for our guests and our colleagues and taking the steps that need to be taken to - as many as we can to protect them, to keep them safe, and to create that feeling of safety. I would say also the thesis of my career has really been centered around what might people do with computers if only they felt safe using them?

Luke Vander Linden: Oh, wow. Right. I think a lot of people feel safe using them, but maybe that's a - maybe that's a false sense of security, right?

Ben Vaughn: Well, I don't know that they do, Luke. I think we're all instructed not to feel safe using computers. Don't talk to strangers on the internet. Don't click on the link. Be careful when you're sending bank account information. And so I think people sort of approach using computers from a feeling of unsafety. And what if you could create a computing environment that was safe enough that people could feel safe using it? I think that's important to me, and it's important to the team, creating that feeling of safety in our colleagues.

Luke Vander Linden: Excellent. I really - I like the metaphors with the orange juice because, I mean, this is part of the - it makes it - it frames it as a key part of the business as opposed to something off to the side.

Ben Vaughn: It's a really important part of our business. Our guests value the service that they get at our hotels. They value the quality of the experience that they get at the - our hotels, and then they also value the privacy that they have when they're at our hotels. And so it's important to us to do a good job for our guests. We talk about our guests a lot, even in the security department.

Luke Vander Linden: So no half measures, it seems obvious what that might mean. But do you have a - do you have a nuance or a spin on it?

Ben Vaughn: So this is one of the spoiler alerts. So there was a TV show that ran for several years called Breaking Bad.

Luke Vander Linden: Yes.

Ben Vaughn: And I don't want to provide any editorial guidance on whether it was a good or a bad show. But there is a scene in one of the episodes of that show where one character, Mike, is talking to Walter about a - the main character, the antagonist, pro-antagonist, I suppose. And he tells him a story about a time earlier in his life when he had an important decision to make. And he sums up the story by saying, The point is, Walter, I chose a half measure when I should have gone all the way. And I think that's an important guiding principle for us in security because going back in my career, which now spans 29 years, every time I've been a part of a team or led a team where we needed to make a change to a computing environment and we did half the change because we didn't have the time, we didn't have the money, we didn't have the wherewithal or the support, that ended up coming right back around and turning into attacker actions on objectives. And I don't think that's because the people that were engaged in this struggle with know that we implemented something or did something halfway, but it's more of a statistical problem. If you leave a hole, that is the hole that will be exploited, not because they're looking for that hole or they know that hole exists but because it's a Murphy's Law thing. If it does exist, it will be exploited. And so we try really hard to push all the buttons, if you will.

Luke Vander Linden: Don't be like Mike Ehrmantraut. See? I knew the reference. I got that one. That was one of my guilty pleasures during - during COVID.

Ben Vaughn: There you go. There you go.

Luke Vander Linden: All right. So don't juke the stats was the next one you mentioned.

Ben Vaughn: Another TV show reference. Sorry. I'm a pop culture person.

Luke Vander Linden: That's okay.

Ben Vaughn: There's a TV show that ran for six years in the early 2000s called The Wire.

Luke Vander Linden: Ah, yes.

Ben Vaughn: Something that was instructive for me and some folks on my team, in an episode of that show, I think from the fourth season, where two policemen are sitting in a meeting. And one of the policemen remarks that it's going to be very difficult for them to meet the crime reduction numbers that they've been pledged to meet. And the other police officer says something along the lines of, Well, it's actually easy. You juke the stats. And he said, What do you - what is that? And he said, Well, you turn an armed robbery into a robbery. And you turn a robbery into a simple assault or a mugging. And by sort of downgrading crimes, you can show that, Oh, wouldn't you know that the armed robberies went down?

Luke Vander Linden: Wow. So there's a gray area. To the uninformed, you can - you can let them - you can fool them sometimes.. But you're saying no, don't do that.

Ben Vaughn: I think human beings have a tendency sometimes to paint a rosy picture. And I think that that sometimes gets security teams and security leaders into trouble because they painted the rosy picture. And then things didn't quite turn out so rosily, and then they're asked by leadership, Well, you told me everything was great. So why is everything not so great?

Luke Vander Linden: Right? Kind of another version of the it's not the crime, it's the cover up.

Ben Vaughn: I wouldn't - I wouldn't use the word crime. It is important to always tell the earnest truth about your successes but also your failures because that's what breeds trust.

Luke Vander Linden: Right. Very good. Be different was the fourth one.

Ben Vaughn: When I started in my - in this field, I found that the field looked a lot like me. And if the mission is to provide and create a feeling of safety in people, I and people who look like me alone cannot create a feeling of safety in all of our guests and our colleagues because we all have different backgrounds and different concepts of the feeling of safety.

Luke Vander Linden: Right. Yes. Certainly you and I look a lot like each other in this respect. And so that's - I mean, this is something we've talked about before. Tell me a little bit about how - what that means to you and - and from your perspective and trying to bring in the different other perspectives that other people may have who don't look like us.

Ben Vaughn: It just means to me that you have to do the hard work of building a diverse team, and a diverse team across many dimensions of diversity because, if you're trying to create a feeling of safety, you need to have a group of people who can represent all views of the prism of safety.

Luke Vander Linden: Right. So that's race, gender, economic background. What else?

Ben Vaughn: Educational experience. We need people who are very experienced with security and people who are new to the field. We need females and males, I need as many diverse viewpoints inside the team as possible so that those people who have been encouraged to be different can represent their views to our - to all of us as a team.

Ben Vaughn: So DEI, diversity, equality, or - and inclusion is a buzzword right now. But you obviously treat it way more than just a buzzword or a slogan. So what are the outcomes or impact do you have - do you see with a diverse workforce?

Ben Vaughn: In our field specifically, in security, having a diverse team is the key to making all of one's colleagues and customers feel safe.

Luke Vander Linden: And that's just it? It's as simple as that.

Ben Vaughn: I don't think we can win without it.

Luke Vander Linden: So hiring is obviously the important first half of that equation. But how, then, do you make those people - I guess feeling safe is important but also feeling included, feeling a part of the team if they are, at least at the beginning, the only person who looks like they do until you hire other people who look like they do in your unit?

Ben Vaughn: I think that inclusive journey is - it's actually probably easier for a security department to do that than other departments at a big company because, in a security department, my boss, my leader once said to me, You're very unique in a corporate job because the security department has an enemy. And I thought that was so fascinating because he's so right. The security department has an enemy, a person on the other end of that computer that wants to do you harm. And that can be used to create esprit de corps and inclusivity. Right?

Luke Vander Linden: So, obviously, Hyatt has competition, but it's not enemies. You in cybersecurity departments have enemies.

Ben Vaughn: That's right. I mean, an accounting department, the enemy is, you know, making sure that your numbers are accurate. In an insurance department, it's ensuring that you pay the right money for the insurance. But there's not a hostile person -

Luke Vander Linden: Right.

Ben Vaughn: - at the other end of a computer who wants to do you harm. And I think that helps to focus our minds. And it helps to, I hope, make colleagues who join the department feel that they're part of that cohesive team because we're in the trenches together, engaged in this broader struggle. I think also, setting aside sort of adversary driven inclusivity is the effort and expense that we engage in at Hyatt to bring our colleagues together, to celebrate our successes with them, to communicate with them, to poll them on - on how they're feeling through a quarterly colleague experience survey and then also to have, you know, regular dinners, meetings, team-ups. More than half of our team is now remote workers.

Luke Vander Linden: Yeah. I was going to ask you that. Like, how - I mean, you're remote. So how do you - how do you build that relationship if some people are in the office and they have their own culture and then other people are far away?

Ben Vaughn: Our business is about bringing people together. It wouldn't be much of a business if we didn't have any hotels, right?

Luke Vander Linden: Right. I like how you always bring it back to that, though, because it's such - you know, it's such an important thing for you to keep in mind that you're not just a cybersecurity department in, you know, Company A. You're part of a hospitality enterprise.

Ben Vaughn: That's absolutely right. We can't just sit in our houses and not know our business. And so every quarter our team convenes. We all travel from all over the country, and we meet in Chicago. And then once a year so we meet at one of our hotels. That's important to us to get closer to the field and then to get closer to one another.

Luke Vander Linden: I'm just wondering, do the - does the staff at that particular hotel know that they're hosting the Hyatt cybersecurity team, or do you kind of like keep it secret to see how they do?

Ben Vaughn: We certainly don't keep it secret. We like to meet with the IT managers at the hotels, get to know them and their problems. And so that's an important part of our visits as well.

Luke Vander Linden: Excellent. So that's probably a bigger one, more - more of a marquee property or at least in a large - large place. So just getting back to hiring, I had one more question. So diversity, looking for diversity is one thing or being open to it when - when you have a hire to make. You know, it's always been interesting to me since I'm a recent relative newcomer to the cybersecurity field, and I always look to see what a career - typical career path for a CISO is or a director. And, you know, we have a lot of veterans in our industry. And, you know, there's some similarities. But there doesn't seem to be one singular career path in cybersecurity. So, beyond diversity, what skill sets do you look for in a candidate if you're open to different educational backgrounds, different economic - economic backgrounds and everything like that.

Ben Vaughn: There's one thing that we select for more than anything else, and that is enthusiasm -

Luke Vander Linden: Oh, excellent.

Ben Vaughn: - for safety and security.

Luke Vander Linden: That's great.

Ben Vaughn: We can teach you how to use an EDR tool. We cannot - well, it's going to be a lot harder to teach you how to be enthusiastic about this topic.

Luke Vander Linden: That's great. And, you know, I've talked to other CISOs about this, particularly in - you know, ones that are similar minded to you where, you know, the skill set can be taught, as long as you have, you know, enthusiastic mind, open to learning things, intellectually curious. You know, those - those are more important than having - you know, and I think this is interesting. When I talk to people who aren't in cybersecurity, they assume that you have to have this huge technical skill set already in place. But you don't. You just have to be aware. You have to be enthusiastic, as you say, and be open to learning.

Ben Vaughn: I think, more than anything else, that is what we want to look for. It is great when we find people with ten years of experience that want to come work with us. It's even better when we find somebody with ten years of experience who's just super engaged and interested and fascinated with this topic. I've been doing this for almost 30 years. And when I wake up in the morning, this is what I'm thinking about. And when I go to bed at night, this is what I'm thinking about, this topic, this fascination that's enduring with me of keeping people safe. And I think surrounding the company with people who are enthusiastic about hospitality and surrounding in the team with people who are enthusiastic about security is an important driver of our success.

[ Music ]

Luke Vander Linden: This is a very exciting segment of not only the RH-ISAC podcast but also the Coffee With the Council podcast of the PCI Security Standards Council. As listeners of the RH-ISAC podcast know, I'm Luke Vander Linden, Vice President of Membership and Marketing at the Retail and Hospitality ISAC. And I'm the cohost today because we have another host with us, Alicia Malone. Alicia.

Alicia Malone: Hi, Luke. It's so great to be with you today. I'm Alicia Malone. I am the Senior Manager of Public Relations at the PCI Security Standards Council. And this is a special episode, indeed, because this is actually the first time we've done a cohost opportunity with a third-party stakeholder. So we are so excited to be here today.

Luke Vander Linden: Yes. We're excited, too, and we hope this goes well. I think it's good. It's going to be good to work with you. Alicia and I have each brought - kind of brought a guest of our own to this segment. My guest is Tony James, Director of Cybersecurity at a longtime RH-ISAC member, Target. Who did you bring, Alicia?

Alicia Malone: I have Kandyce Young with me. She is the Manager of Data Security Standards at the PCI Security Standards Council.

Luke Vander Linden: Excellent. Welcome to you both. So the rollout of DSS 4.0, something that's been in the works for a while, but if you haven't been paying attention to it yet, frankly, there's no time like yesterday. So just as a means of setting the stage, we've seen a significant increase in POS malware just over the last two or so years, right. And I know, at least in our sharing communities, we've seen increased interest in skimming activity overall but more specifically around tactics like using cloned cards and getting cashiers to bypass chip-enabled security. And, of course, they're creating cloned cards using stolen card data captured via skimming devices installed inside of gas pumps, ATMs point of sale devices. So I guess, Tony, let's start with you. I guess these and other threats are what DSS 4.0 is trying to address.

Tony James: Yeah, yeah. Thanks for having me, folks. Definitely a PCI 4.0 addresses some of these concerns. And, as a retailer, we're definitely seeing some of those risks related to digital skimming and, like you said, trying to force beyond the chip-enabled readers in the stores. It's actually cool. One of the things that Target rolled out and it's actually open source is a tool called Easy Sweep [phonetic] to help some of those team members for any retailer that wants to check those hard - those guest payment devices or the point interaction devices to actually ensure that there's no skimmers or digital shimmers in there as well. And so that's something we worked on to help both Target and the industry. Beyond that, digital skimming is definitely concerning. We've also open sourced a tool called Merry Maker that anyone can download and leverage. We can provide some - feel free to reach out. We can find some - the Git repo and stuff to just access that and see how it works for your organization to protect against digital skimming. These are probably two of the most prevalent payment security related issues that retailers are facing these days. And that's what we've tried to help the industry and provide those solutions that can work for everyone.

Kandyce Young: That's really good, Tony, I think because PCI DSS from its inception was really about fostering the broad adoption of consistent data security measures all around the world. So the new version of PCI DSS, we needed to make sure that it evolved to align with the evolution and payments, right. So a lot of the areas that the new version focuses on, you know, flexibility to implement technology but also meeting the security needs of the payments industry, right, and tackling those exact items that you discussed. Because we had open RFC comments for our stakeholders, we got over 6000 comments about how organizations are looking to better secure their environments and what we need to do to help them achieve those better security practices. So with all of those - with all those comments, that really drove the evolution and the - the focus we have on PCI DSS, right. So we've got stronger encryption, more complex authentication, the e-commerce skimming that you mentioned. So prevention and detection are key aspects, as well as anti-phishing support because we know a huge social engineering tactic is phishing. And so we've brought in the technical and awareness components to really drive that home to support our stakeholders.

Alicia Malone: So, Kandyce, for retailers who are new to PCI DSS v4, what should they do to start implementing it in their own payment environments?

Kandyce Young: Well, the first thing I would say is read the standard. I mean, we've got an extensive amount of guidance, best practices. And we really drill down into the why and provide a lot of examples. I mean, that's why the standard itself has gotten about three times the size that it was in v3.2.1, not because of the new requirements but because the feedback from our stakeholders told us that they wanted clarification. They wanted additional context. And so we provided that in the standard. So read that to really help you understand the requirements, the new updated, and how they impact your organization. So we've included several new concepts that I think organizations should really look at when they're starting to implement. So the customized approach, right, that is a new way to meet PCI DSS requirements to really help support innovation in the industry. We've got targeted risk analysis, right. So we've done away with the formal organization-wide risk assessment, and we're looking at requirements and the specific controls that address security concerns and looking at how the business addresses the risk to help mitigate the impact of any - any of those issues. So we've got network security controls, as well as we have the general term of third-party service providers or TPSPs, as we call them, to really wrap in general support for the service provider and merchant communications. So I'd say, you know, look into the targeted risk analysis to really helped understand how you can meet those requirements; to help, let's say, determine the frequency you want to check for systems not at risk for malware in your system. Well, we offer flexibility to do that. So make sure you perform the targeted risk analysis and go - I think it's requirement 12 that offers details on to how to properly perform that. Another thing I would say is don't let your v3.2.1 control slip. I mean, stay strong with your existing controls because we know, yes, it is a point-in-time assessment. But the goal is to make sure we perform security as a continuous process throughout the entire year. And even if you do complete an FAQ, which some - I know some of the retailers do, still review the guidance in the standard because it's equally applicable. We've included considerably more guidance in the standard that may not have made its way to the FAQ, so make sure you read both and documents in their entirety.

Luke Vander Linden: Target, ahead of the game, as usual. So, when you were implementing this, you know, what was the biggest realization that you came to, and what how did you start?

Tony James: Yeah. So, honestly, our biggest realization, Luke, was not to overthink it. So where Kandyce said read the standard first, I totally agree. I was going to say I completely agree that is the right place to start. A lot of people jump right to looking at webinars or asking industry experts, and I'm going to get to that. That is actually something you should do. But first understand the impact that it has to your organization. Kandyce said it really, really well there, that the first thing is you have to read that and understand how it impacts you because, oftentimes, if you jump right to what other people are saying, you're going to be focused on the wrong things. A great example would be digital skimming. For us, like, that is a huge new component in PCI 4.0. It's not as impactful, actually, to Target. We already had a solution in place. It raised a risk in the industry that we were facing, and we had a solution there that we could just say, Okay. That's our thing now. It's not a significant impact to us. It's still super important, a lot of evidence we'll have to gather. It's a new thing, but it's not necessarily going to be a huge obstacle or a huge new thing for us to attain. There's other things in there. Multifactor authentication or authenticated scans, those are definitely new in the industry and also somewhat new to Target. And so there'll definitely be some - some lift there. But that might not be the case for other organizations. I've definitely talked to some peers out there who have said, You know what? I already was doing multifactor twice, so it's not a big deal. That's totally makes sense. But if you just look at what's happening in the industry and what they're talking about, you might be focused on the wrong things. So read the standard first.

Alicia Malone: Kandyce, do you have any tips on how companies can prepare for this transition?

Kandyce Young: Yeah. Most definitely. In addition to reading the standard, we did publish a summary of changes document. And so that is really, really helpful to give you an idea of what was in 3.2.1 versus how it's kind of been modified in v4. And it also includes a full list of all of the - the new requirements added to the standard and when they will be effective. So that it - that is a firt - the first resource that I would say. And, actually, as Tony was mentioning, you know, you - prioritizing your remediation activities, right? So really helped to look at he was already meeting there - ready meeting certain requirements. So now they're able to have the opportunity to reallocate resources to maybe other areas where they may not necessarily be meeting the appropriate controls for PCI DSS v4.0. It's important to have that understanding first, right, to be able to kind of reallocate those resources. I would say - preparing for that transition, another thing is understand the validation options, right, because as I touched on, we have the customized approach, right. And so that is really to help support cutting edge technology the organizations may be using. But it's really important that, if you're going to embark on that journey of the customized approach, start it as early as possible because there's an additional documentation and support required to really help to not only implement but maintain and secure those innovative controls. So we've got quite a few blog posts on this very topic, a customized approach on our website. So I would say that is a great reference to look at it for organizations wanting to understand a little bit more about that. And I would say, document your steps, and inventory your components because it's often overlooked. You know, establishing policies and procedures, oh, we can do that later. No. Sometimes they're quite time-consuming. And you may not know you're missing steps until your assessor lets you know, right? So, in order to support the ongoing consistent implementation of these security controls, document it and inventory because, as part of the new in the new standard, you've got to inventory the spoken custom software, cryptographic cipher suites, trusted keys and certificates used to protect PAN that's in transit. So we've got a few materials on our website to really help support this transition. So those are the things I would say to start with helping this transition. Tony, I know you've got some things to say about that.

Tony James: Yeah.

Kandyce Young: How have you guys really helped to prepare for this transition? I know you engage quite a few trusted experts.

Tony James: We did. And so I appreciate that. Kandyce, yeah. I think you nailed it in saying that the first thing to do is to understand what is right for you and digging in and understanding what the different ways to validate your compliance are. So the first step for I really - us really was, after we understood the requirements, I think the document you referenced there where you can - you're talking about what the big changes were is great. What we did then was actually look back at 3.2.1 for what - what requirements had changed and compare, like, what was it that changed within the requirements so we can really know, like, is it just a wording change that was significant? Is it a brand new requirement? What was it about that clearly changed? Because that helped us drive how big a deal it really might be. And once we really understood what some of the biggest requirements were, I know that your - the council does a great job saying there's like 64 new requirements. And, for us, it's 64 plus then a 9 or so that were significant changes. So we have 75 new or significantly updated requirements that really applied to us. The key, then, was understanding how big a deal are those and really categorizing those and then talking to those trusted experts. We've started going down this path. This is what we think the big changes are. Are we missing anything? And that's where you engage your QSA. That's when you engage some of your benchmarking. Some of you might know I have a number of groups that I benchmark with both within Retail and Hospitality ISAC. I have a couple other benchmarking groups that I facilitate myself just to make sure that we are really aware of what's going on in the industry and what other people are saying about these. And I would say there was about 74 other requirements that we nailed, and then there was one. Like, oh, that's an interesting point that someone brought up, and I forget which one it was. But it was just really helpful for us to realize that we were pretty much on point for everything, and then there's one new thing that we missed. And then we talked with our QSA after that benchmarking and watching the webinars and in talking to our peers, and that's when I realized, actually, for a couple of them, we were overindexing. They're like, Hey. You know you're saying this is a big change for you. Based on all these things we know about you and the evidence you've provided already in the past, that's actually probably not a huge lift. If you just do this, that's probably going to be good enough for us to understand or meet this requirement. So that was super helpful for us to engage those two different groups to make sure we understood what the impacts were and how it really would impact us.

Kandyce Young: You know what else I would say, too, which I found through some feedback we've been receiving is sometimes, if you're - if you're engaging or beginning with new technology, like, Tony, you're an integrate position, but other organizations may have had a huge lift on some of the technology that they've had to incorporate into their environments. And one thing I would say, too, in addition to trusted experts is training your internal staff. So it's important to make sure that, when you add any new technology to your environment or you're making any updates in response to PCI DSS v4.0, let's say, making sure that your staff is aware and up to date on what's happening and they're trained on that so that, if there are any issues in the future, you already have in-house experts to help support that. And I think other organizations can maybe benefit from the knowledge. I'm sure, Tony, that's something you're already doing with your great staff. But I think it's so important for others to be aware that, hey, we want to do cutting edge technology. That's great. So make sure we have people on staff to support us if, in fact, maybe the new technology is not addressing all of the system components it should or it's malfunctioning. So make sure you have that, those trusted experts internally before the assessment begin.

Tony James: Yeah. I agree. That kind of brings me back to the other point you mentioned earlier on validation using the customized approach. First of all, I really want to applaud the Council for implementing this. I know they did a lot of work with the industry to understand what the industry wanted here and how to make it come to life. And so I applaud you for making it a reality. That said, I think it's a great point to call out for those of you who haven't dug in a lot, it will be a lot of work. Don't go in thinking, Oh, great. I'll do this customized approach, and that'll be less work for me in the end; and it'll just make this whole process easier. There's some realization to that it probably could make things easier for your business or easier for your technology experts at the end. But there's going to be more pre-work ahead of time working with your QSA or in working internally to understand exactly what those controls are, doing that targeted risk assessment, as you referenced, and preparing to evaluate a control that you're creating to meet this requirement. And I want to make sure everybody is really aware of that it's a great option, but it does not mean lots less work.

Kandyce Young: You're so right, Tony, because I think the customized approach was really developed to - for risk mature organizations that have a strong framework and strong resource, really associate or provide strong resources to help support the implementation but also the long-term efficacy of those controls because you're right. There's a lot of documentation involved. But for organizations that want to, you know, do some sort of modern malware protection or anything else that's really exciting with, you know, evolving their network segmentation, then there's certainly is space to do that.

Alicia Malone: A question for both of you, and I'll start with Kandyce on this. What is the most important thing that you want retailers to take away from this podcast regarding PCI DSS v4? I know that our timeline is getting closer, and I wondered if you could just speak to that, Kandyce, and some of the really important things that they need to know going into this.

Kandyce Young: Well, start now, right? So PCI DSS v3.2.1, it retires on March 31, 2024. So that is right around the corner. So, after this date, it's PCI DSS v4.0 assessments. We do have some additional best practice requirements that are now future dated, and those will take effect on the 31st of March 2025. But it's important that you perform your gap assessments so you know where you have those gaps in controls so you're prepared to adopt those new controls that come into effect in 2025 well in advance of your assessment date, right? So prepare for the assessment before you undergo the assessment. Get organized. Be informed about controls and the gaps in your - the gaps in your controls in your practices. So we say that early planning and proper investment are - are critical to your success. And, finally, I will say, I will plug we collaborate with the industry on a regular basis. And that's how we thrive. That's our foundation. So if you'd like to collaborate with us, you can become a participating organization. And that really gives you as an industry stakeholder the opportunity to be involved in the direction of our standards, as well. And it'll give you the opportunity to join our special interest group that we're working on right now about scoping and segmentation for modern network architectures. So your voice will be heard, and your expertise will become a part of the guidance to the payments industry. So those are the things I think retailers can take away from our talk today.

Luke Vander Linden: Kandyce, I think that's great. You know, the best laid plans, though, of mice and men often go astray. So, Tony, what would you say if you're running late? What - what should you do next?

Tony James: So I think the first thing to do is really engage in that gap assessment quickly. I talked a lot about what we did from a gaps assessment standpoint, and that's where I would focus. And it's similar to kind of what Kandyce was asked there, too. So where should I start? What should I do? It really is three things. It's read, plan, and communicate. So read it, understand it. Talk to the experts in your organization. You'll have subject matter experts throughout your organization. Talk to them and understand the impact to you. Gather details about what you and those other experts outside the organization might think are the biggest impact. Make your plan. So plan for what you're going to do, how you're going to do it, what your timelines look like, and what you need to accomplish by what dates because there's different dates. Some things are due in 2024; some are due in 2025. So prioritize that. And, finally, we haven't talked about this one enough: Communicate. If you have read it all and know exactly what you need to do when you start doing it all but you haven't told anybody in your organization, you're not setting yourself up for success. So communicate what's going on with 4.0, how it impacts you to your organization, and communicate those plans are and what you need from those experts. If you want them to do something by a certain date, you probably need to look at perhaps what the organizational budgeting timelines are within your organization and work around that. If you need something done next year and your organization does budgeting in January, you want to probably be talking to those teams well before that so they know what budget to ask for so they can implement that in next year. So those are the three things: Read, plan, and communicate.

Kandyce Young: I wholeheartedly agree with that, Tony. I think properly allocating human and technical resources and given enough time prior to implementation I think is a really key and critical component to success in meeting the new requirements. So spot on. I agree.

Alicia Malone: Kandyce, where can our listeners go for more information about PCI DSS v4?

Kandyce Young: Well, you can head over to our website. We've got And we have a PCI DSS resource hub, actually, with all the documents I mentioned so the summary of changes document. We've got our standard. We have Coffee With the Council videos where we have commonly asked questions. We have a considerable amount of FAQs because we are receiving questions on a daily basis from our stakeholders. And so, when we receive enough of those, we actually publish them as formal FAQs on our website. And so that's a resource that we're updating on a regular basis. We put quite a few in just last month. So that's another great resource to head on to. And blog posts, we're constantly doing those. So those are all available on

Luke Vander Linden: That's excellent. And we'll - we'll link to all those resources, as well, from our show notes on our version of this segment as well. But I also want to plug, this isn't the last time you can hear from this group and a couple more folks. We're also hosting a joint webinar on this topic. That's going to be on the 25th of May at 3pm Eastern time. And, again, we'll have links all over the RH-ISAC website. We'll put it in the show notes as well. And I'm guessing you guys will do that as well.

Alicia Malone: Absolutely. We're looking forward to that webinar as well, Luke. And I wanted to just thank our guests today for their insight. This is so helpful. And I think this is really great information for the industry.

Luke Vander Linden: Excellent. Yes. Thank you both as well. And thank you, Alicia, for letting me cohost with you. I think this worked out great, so hopefully maybe we can do it again someday.

Alicia Malone: Yeah. Let's do it again. This was a lot of fun.

[ Music ]

Luke Vander Linden: Thank you to Alicia Malone of the PCI Security Standards Council for cohosting that segment and for bringing along Kandyce Young, Manager of Data Security Standards at PCI, as well as a thank you to Tony James, Director of Cybersecurity at Target for his insights on PCI DSS 4.0. And don't miss that webinar I mentioned. We'll put a link to it in the show notes. Hopefully you'll see that wherever you're listening. If not, just go to our and click on our events calendar in the nav. I'll make sure that it's there. And a great big special thank you to Ben Vaughn of Hyatt. You can listen to the second half of that conversation with him in just two weeks on the next episode of the RH-ISAC podcast, which of course you could find at or wherever you listen to high-quality podcasts like ours. As always, a great thank you to my own production team at the RH-ISAC, Annie Chambliss and Marisa Troscianecki; and for making us sound good, the folks at CyberWire: our senior producer, Jennifer Eiben; and the sound team of Elliot Peltzman and Tré Hester. Once again, if you have anything you want to tell us about, preferably cybersecurity related, shoot us an email at Thanks for listening, and stay safe out there.

[ Music ]