PCI DSS v4 Transition Training Arrives

I received an email from the Council today that announced that PCI DSS v4 Transition Training will begin to be available through the PCI Portal the week of July 11 for all current QSAs.

According to their message:

“The training takes between 4-5 hours to complete and is based on documents that are already available:

  • PCI DSS Requirements and Testing Procedures Version 4.0
  • PCI DSS v4.0 Report on Compliance Template
  • PCI DSS v3.2.1 to v4.0 Summary of Changes
  • PCI DSS v4.0 AOCs and SAQs
  • PCI DSS v4.x Report on Compliance Template – Frequently Asked Questions

We recommend assessors download these documents before taking the training course. There will be an exam that follows the training. The exam is an open book, 25 multiple-choice questions, which you will have 60 minutes to complete. The questions are based on the course content and associated documents (listed above). You will be granted access to the exam via the Portal once you have completed the training. Once you pass the exam, with a 75% or higher, the website listings will be updated to reflect that you are now qualified to lead an assessment using PCI DSS v4.0.

Important exam information summarized:

  • 25 multiple-choice questions
  • Open book
  • Available via the Portal after you complete the transition training
  • 60 minutes long
  • 75% or higher score to pass

Once the training is available, you will receive an email with instructions on how to access the training and take the exam.”

Best of luck to everyone on passing this new QSA requirement.

UPDATE: I passed the PCI DSS v4 Transition Training on July 17. A lot of material in the presentations but it is good stuff and I found it very informative. I still have questions about how the tables in section 6 of the ROC work and have asked for additional clarifications. My biggest concern is avoiding the debacle a lot of QSACs went through when we all went through the first AQM process and most ended up in remediation.


7 Responses to “PCI DSS v4 Transition Training Arrives”

  1. September 15, 2022 at 7:30 AM

    Hello to all gurus, what is your opinion about requirement: ( in PCI v4) who clearly talks about running authenticated scans to system components this authenticated scans refer to OS credentials or maybe credentials related to web applications if applicable? this also pops a new question about credentials to be provided to scanning systems and how those systems maintain those credentials secure at rest and also if the authentication requires an admin level role…

    • September 18, 2022 at 4:27 PM

      Authenticated scans have long been the way to reduce false positive results.

      My recommendations are to use credentials that are specific for the scanner, not use existing administrative credentials. Granted, those credentials will also have administrative access, but you can generate specific alerts for when they are used and then match their use to the running of the scans. Any other use would be flagged as a problem.

  2. 3 Erik
    August 16, 2022 at 7:07 AM

    Finally! I took the exam.

    One thing that stands out to me – clarification that offsite document reviews are considered a remote assessment activity. To me this is detached from the reality of how PCI DSS assessments actually work. Offsite document reviews is essential for a good quality assessment.

    If the QSA has to review all documents onsite at the customer, they cannot prepare properly for the assessment. There will be very limited time to review documents, understand the scope, prepare sampling and interviews, etc. Onsite document reviews introduces a quality risk, not the other way around.

    In addition, classifying offsite document reviews as a remote activity effectively means 99.9% of all assessments will be considered remote. Remote assessment becomes the norm, not the exception. I think it will encourage QSAs to do more work remotely and spend less time onsite.

    • August 17, 2022 at 12:47 PM

      I don’t think the Council sees that the same way as you do, but it is a good discussion point for the upcoming Community Meeting. If you cannot be there in person, I would recommend you submit that question to the Council at qsa@pcisecuritystandards.org.

      • 5 Erik
        August 19, 2022 at 3:15 AM

        The transition training didn’t leave much room for other interpretations, as I understood it. Offsite (i.e. normal) review of even a single document classifies the assessment as remote. I hope the council can provide further clarification.

        I’ve submitted my thoughts on issue to the Council, and to some of my card brand contacts.

  3. 6 mrgray
    July 7, 2022 at 5:52 AM

    Thanks for this. Is it possible for non-QSAs to take the exam? We are self-assessing and I would like to present this level of credibility to my organization.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

July 2022

%d bloggers like this: