Show Notes:

Text and email are not digital versions of a letter or a telephone call. There has to be a strategy that includes consumer consent but also a willingness by that same consumer to continue the conversation. Enter Quanta Credit Services, a new innovative digital-first solutions provider that manages communication strategies. Aleks Whitchurch, CEO and Co-Founder of Quanta stops by the next episode of #creditecotogo to talk about the nuts and bolts of the digital communications journey and the many paths that journey can take. Aleks tells us this is not a volume game but a problem-solving game. Quanta’s data shows that how you treat the consumer and customize the conversation can make a measurable difference. 

[article_ad]

DISCLAIMER – No information contained in this Podcast or on this Website shall constitute financial, investment, legal and/or other professional advice and that no professional relationship of any kind is created between you and podcast host, the guests or Clark Hill PLC. You are urged to speak with your financial, investment, or legal advisors before making any investment or legal decisions.

In Fowler v. Preferred Collection & Mgmt. Servs., No. 8:21-cv-1038-WFJ-AAS (M.D. Fla. May 16, 2022), the court granted in part and denied in part the defendant’s motion for summary judgment as to claims asserted against it under Section 1681s-2(b) of the Fair Credit Reporting Act (FCRA). In doing so, the court weighed in on whether a consumer who lodged a dispute outside of the statute of limitations period can assert claims based on subsequent, similar disputes within the limitations period.

The defendant, Preferred Collection & Management Services (Preferred Collection), is a third-party debt collector. The plaintiff, Angela Fowler (Fowler), alleged that she reviewed her credit report in May 2019 and discovered that Preferred Collection was reporting that she is responsible for 13 accounts related to medical bills totaling $476. On May 18, 2019, Fowler disputed the reporting with one of the consumer reporting agencies (CRAs), asserting that she never received treatment from the medical provider named on the accounts. Fowler again disputed the reporting of the accounts in January 2021, and the CRA responded that Preferred Collection had verified the accounts as accurate. Subsequently, during discovery, Fowler conceded that she first disputed the reporting of the accounts in October 2017 and that some of the damages she claimed, such as being denied employment due to her credit report in November 2017, were related to the 2017 dispute.

On April 30, 2021, Fowler filed suit, alleging that Preferred Collection failed to conduct reasonable investigations of her May 2019 and January 2021 disputes in violation of Section 1681s-2(b).

In partially granting summary judgment in favor of Preferred Collection, the court noted that the two-year statute of limitations in FCRA Section 1681p applies to Fowler’s claims. Based on this, it held that any claims based on alleged violations or damages occurring before April 30, 2019 were time-barred. But this ruling only eliminated a portion of Fowler’s claims. Although the two disputes that were the focus of the complaint raised the same issues as the 2017 dispute, the claims based on the May 2019 and January 2021 disputes were timely because the court held that each notification of a consumer’s dispute from a CRA to a furnisher creates its own duties and corresponding limitations period. This is an issue on which courts have disagreed in recent years.

In addition to finding that Fowler’s claims were only partially barred by the statute of limitations, the court held that a genuine issue of material fact existed as to whether Preferred Collection satisfied its duty to investigate the May 2019 and January 2021 disputes. After receiving notice of the disputes, Preferred Collection matched its internal records to the demographic information provided by the CRA and verified the accounts as belonging to Fowler. In denying the defendant’s motion for summary judgment, the court held that question of fact existed as to whether merely reviewing internal records is sufficient to satisfy Section 1681s-2b’s requirement that furnishers perform “some degree of careful inquiry” after receiving notice of a dispute from a CRA.

On May 25, 2022, my colleagues, Mike Gordon, John Culhane and Ron Vaske published a blog which reported on a press release issued by the CFPB on the prior day entitled “CFPB Launches New Effort to Promote Competition and Innovation in Consumer Finance.”  The blog stated:

In its press release, the CFPB states that “[a]fter a review of these programs [the No Action Letter (NAL) and Compliance Assistance Sandbox (CAS) programs], the agency concludes that the initiatives proved to be ineffective and that some firms participating in these programs made public statements indicating that the Bureau had conferred benefits upon them that the Bureau expressly did not.”

In lieu of a company filing an application for an NAL or participation in a CAS, both of which apply to an individual company’s specific product offering, the press release encouraged companies, including start-ups, to file rulemaking petitions to ask for greater clarity in particular rules.  The Bureau states that any action taken in response to a rulemaking petition “will apply to all companies in the market.”

The CFPB press release also announced that it “is opening a new office, the Office of Competition and Innovation, as part of a new approach to help spur innovation in financial services by promoting competition and identifying stumbling blocks for new market entrants.  The new office will replace the Office of Innovation that focused on an application-based process to confer special regulatory treatment on individual companies.”

Since the CFPB, in its press release, called the NAL and CAS programs ineffective, indicated companies were mischaracterizing the benefits conferred by such programs, and encouraged companies to file rulemaking petitions going forward, the clear implication was that these programs were being eliminated.

Not so, according to Raul E. Cisneros of the CFPB’s press office.  This is what Mr. Cisneros told me by e-mail on June 3 which he said could be attributed to the Bureau:

At this time, the CFPB has not rescinded the not[sic]-action letter or sandbox programs, and is still taking new applications and processing previously submitted applications.  However, this is not the primary focus of the Office of Competition and Innovation. 

Hmm.  Calling programs ineffective that an agency plans to continue strikes us as an odd way of doing business.  While the CFPB may continue to process new applications, we expect its disparagement of the programs will lead most companies to reassess whether filing an application is worth the investment of time, effort, and cost required to do so.

On May 2, 2022, the CFPB issued its Supervisory Highlights for spring 2022 (the “spring 2022 Report”), which highlights legal violations identified by the CFPB’s examinations between July 2021 and December 2021. The findings in the spring 2022 Report cover the areas of auto servicing, consumer reporting, credit card account management, debt collection, deposits, mortgage origination, prepaid accounts, remittances, and student loan servicing. The spring 2022 Report also summarizes recent developments in the CFPB’s supervision program and remedial actions.

Focusing strictly on the area of consumer reporting, the CFPB notes that examiners have found deficiencies in credit reporting companies’ compliance with FCRA dispute investigation requirements and furnisher compliance with FCRA and Regulation V accuracy and dispute investigation requirements. The CFPB notes that in several reviews of credit reporting companies (“CRCs”), examiners found that they failed to conduct reasonable investigations of disputes. Specifically, CRCs deleted thousands of disputed tradelines rather than resolving disputes consistent with the investigation conducted by the furnisher and failed to review and consider all relevant information submitted by the consumer in support of their disputes. In addition, examiners found that CRCs failed to timely notify furnishers after receipt of a dispute and to timely and accurately notify consumers of the results of a dispute reinvestigation.

The CFPB also discusses several deficiencies with regard to credit card furnishers, deposit furnishers, and auto furnishers. The CFPB advises that credit card furnishers erroneously applied Regulation V’s “frivolous” designation to indirect disputes when the FCRA does not allow furnishers to deem indirect disputes as “frivolous.” The CFPB further advises that credit card furnishers sent incorrect indirect dispute investigation results to CRCs. Moreover, the CFPB notes that credit card furnishers failed to communicate the results of its investigations in response letters to direct disputes and failed to send updating or correcting information to CRCs after making a determination that the reported information was incomplete or inaccurate.

Lastly, the CFPB identifies violations of Regulation V’s requirement that all furnishers establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers. The CFPB emphasizes that furnishers must consider and incorporate, as appropriate, the guidelines of Appendix E to Regulation V when developing their policies and procedures, which address key business functions, such as record retention, training, third-party oversight, and receipt of feedback from CRCs and others. The CFPB identifies the following violations of the Regulation V requirement for reasonable written policies and procedures with respect to credit card furnishers:

• Failure to specify how particular data fields, such as the date of first delinquency, should be populated when furnishing information about credit card accounts.

• Failure to provide for the retention of records for a reasonable period of time to substantiate the accuracy of consumer information furnished to CRCs.

• Failure to perform account level analyses to determine which accounts should be reported in bankruptcy status after a consumer informs the furnisher of a bankruptcy filing.

Given that the CFPB included similar findings relating to credit reporting in its summer 2021 edition of Supervisory Highlights, it is apparent that the CFPB has a continuing interest in furnishers’ compliance with credit reporting, as well as their written policies and procedures. Therefore, it is imperative that furnishers re-review written credit reporting policies and procedures and ensure that such policies are being followed.

On May 20, California’s Department of Financial Protection and Innovation (DFPI or Department) announced that it had filed a Notice of Proposed Rulemaking with the Office of Administrative Law, inviting public comments on the proposed rulemaking. The purpose of the proposed regulations is to implement, interpret, clarify, and make specific, certain sections of the California Consumer Financial Protection Law (CCFPL) that impose requirements on covered companies to respond to consumer complaints and report information about those complaints and responses to the DFPI.

[article_ad]

Specifically, the DFPI is proposing to make explicit what it means to provide a timely response to consumers and to the Department regarding complaints against or inquiries concerning a covered person and received by the covered person. Covered persons are expected to have appropriate procedures to review, investigate, respond to, track, and report consumer complaints and inquiries. Notably, these proposed procedures apply to complaints received directly by a company — they are not limited to complaints submitted to the DFPI.

For each complaint, covered persons must provide the complainant with a written acknowledgment of receipt. Under the proposed rules, the written acknowledgment of receipt shall advise that the complaint has been received and shall include the date of receipt, a unique tracking number to identify the complaint in subsequent communications, and the telephone number and email address that can be used to contact the appropriate representatives of the covered person who have been designated to handle the complaint. The timing and manner of providing this acknowledgment would vary depending on the channel through which the complaint was received:

Emailed complaints or complaints received via the internet. 

Covered persons would be required to provide the complainant, within one calendar day after receiving the complaint, an email confirming that the electronic submission of the complaint was successful and, within five calendar days after receiving the complaint, an email message with the written acknowledgement of receipt. Both email messages would be required to be sent from the email address provided to the complainant, and they may be combined if provided within one calendar day after receiving the complaint.

Complaints received via postal mail. 

The proposed rules would require that covered persons provide the written acknowledgment of receipt via postal mail within seven calendar days of receiving the complaint.

Complaints received via telephone. 

Under the proposed rules, covered persons would orally provide the complainant with a unique tracking number to identify the complaint and, within seven calendar days of receiving the complaint, provide via postal mail a written acknowledgment of receipt.

The proposed rule would allow written acknowledgments to be combined with the issuance of a final decision if the final decision is issued within the required time period for the acknowledgment.

Covered persons would also be required to maintain a written record of each complaint for at least five years from the time the complaint was initially filed. The written record mandated by the proposed rules is fairly extensive and includes:

1. A unique tracking number.

2. The name, phone, address, and email address (if provided).

3. The name of the financial service or product involved.

4. The name of the covered person or third party identified as the subject of the complaint.

5. For oral complaints, the name of the representative who documented the complaint.

6. The date the complaint was received.

7. The date the covered person provided the acknowledgement of receipt.

8. The dates of any investigation.

9. The dates of all responses to the complaint.

10. The nature and details of the complaints.

11. If no investigation was performed, the names of all persons who decided not to investigate, and the reason why the investigation was not needed.

12. The results of any investigation.

13. Any corrective action.

14. A copy of (or an electronic link to) all contracts, correspondence, and other relevant information upon which the covered person relied to reach his or her final decision.

15. A copy of all written responses and summaries of all oral responses, including an explanation of the final decision regarding the complaint.

In addition, covered persons would be required to submit to the Department a quarterly complaint report, including the total number of complaints received, total number of complaints for which a final decision was issued (broken out by “within 15 calendar days,” “between sixteen and sixty calendar days,” and “more than 60 calendar days), which shall be made available to the public. The report would be required to include information regarding all complaints received by the covered person, including complaints forwarded by the Department. Under the proposed rules, the report should be prepared for the quarters ending March 31, June 30, September 30, and December 31 of each calendar year, verified by an officer authorized to act on behalf of the covered person, and filed with the Consumer Financial Protection Division no later than 30 calendar days after the end of each quarter.

The comment period on the proposed rules is open until July 5.

Medical debt collection has become a trending topic among state legislatures and federal regulators alike.  New legislation and regulations are systematically eroding asset value for healthcare providers. In the past year, we have seen California, Maryland, Nevada, and New Mexico enact new laws. Colorado and New York appear to be on the path to do so as well. To add insult to injury, the Consumer Financial Protection Bureau (CFPB) continues to aggressively focus on medical debt as well.

Below is an overview of the legislation and regulations that are dictating change in the world of healthcare collections today. While challenging, the new landscape is not impassable.  

California

Effective as of January 1, 2022, California Assembly Bill No. 1020 (amending California Civil Code Section 1788.14) requires, among other things, that general acute care hospitals licensed pursuant to Health & Safety Code Section 1250 to send a notice to debtors as required by Health & Safety Code Section 127425(e). This notice is to contain:

• The date or dates of service of the bill that is being assigned to collections or sold.
• The name of the entity the bill is being assigned or sold to.
• A statement informing the patient how to obtain an itemized hospital bill from the hospital.
• The name and plan type of the health coverage for the patient on record with the hospital at the time of services or a statement that the hospital does not have that information.
• An application for the hospital’s charity care and financial assistance.
• The date or dates the patient was originally sent a notice about applying for financial assistance, the date or dates the patient was sent a financial assistance application, and, if applicable, the date a decision on the application was made.

[article_ad]

California Civil Code Section 1788.14 now prohibits debt collectors from collecting hospital debts without including, in the first written communication with a consumer, a copy of the notice that the hospital is required to send its patient prior to assigning the debt for collections or selling the debt to a debt buyer. In addition, debt collectors must include in their first written communication with consumers a statement that the debt collector will wait at least 180 days from the date the consumer was initially billed for the hospital services that are the basis of the debt before reporting adverse information to a credit reporting agency or filing a lawsuit against the consumer.

The new law also raised the income level for hospital charity care eligibility to 400% of the federal poverty level, allows patients with high medical costs to get some form of charity care or discount, and requires hospitals to prominently display a notice of the hospital’s financial assistance policy for patients on its website.

Maryland

Maryland (Senate Bill 514 and House Bill 565) now requires hospitals to submit its policy on the collection of patient debts each year to the Health Services Cost Review Commission. Hospitals are also restricted from taking certain actions – such as charging interest or fees on debts incurred by certain patients – when attempting to collect their past due accounts. Hospitals are further prohibited from reporting a debt to the credit reporting agencies or filing a lawsuit to collect the debt within 180 days after the initial bill is provided.

Nevada

Nevada Senate Bill 248 (amending Chapter 649 of the Nevada Revised Statutes) became effective July 1, 2021. It requires collection agencies to send a certified letter to the consumer with certain disclosures prior to the commencement of collection efforts. There can be no collection or credit reporting for 60 days thereafter.

The statute, in part, reads:

Sec. 7.

1. Not less than 60 days before taking any action to collect a medical debt, a collection agency shall send by registered or certified mail to the medical debtor written notification that sets forth:

(a) The name of the medical facility, provider of health care or provider of emergency medical services that provided the goods or services for which the medical debt is owed;

(b) The date on which those goods or services were provided; and

(c) The principal amount of the medical debt.

2. The written notification required by subsection 1 must:

(a) Identify the name of the collection agency; and

(b) Inform the medical debtor that, as applicable:

(1) The medical debt has been assigned to the collection agency for collection; or

(2) The collection agency has otherwise obtained the medical debt for collection.

The statute also prohibits suing on medical debts less than $10,000 and prevents charging any fee of more than 5% of the amount of the medical debt.

New Mexico

New Mexico enacted the Patients’ Debt Collection Act (Senate Bill 71) which prevents health care providers from sending medical bills to collections or filing medical debt lawsuits against individuals whose household income is at or below 200% of the federal poverty level.  Health care facilities must take certain steps before seeking payment for emergency or medically necessary care (including offering certain information and assistance to patients).

Colorado

Colorado House Bill 1285 is moving closer to becoming a reality as it is seeing strong bipartisan support. The bill would prohibit hospitals that are not in compliance with a price transparency rule that went into effect in January 2021 from placing debts with third-party collection agencies, filing lawsuits to collect on unpaid debts, and reporting debts to credit reporting agencies. Published reports indicate that most hospitals in Colorado are currently not in compliance with the price transparency rule.

New York

New York passed an anti-garnishment and anti-lien bill (Senate Bill S.6522A) for certain medical debts. The bill prohibits nonprofit hospitals and healthcare providers from imposing and enforcing liens on a patient’s primary residence to satisfy judgments in medical debt lawsuits. It also prohibits nonprofit hospitals and healthcare providers from securing wage garnishments to satisfy such judgments. The governor is likely to sign it into law shortly.

CFPB and Credit Reporting

The CFPB has also been making waves by issuing bulletins, reports, and press releases criticizing medical debt collections and credit reporting.[1] [2] [3]

In response, the three major credit reporting agencies (Equifax, Experian, and TransUnion) announced that they will:

As of July 1, 2022, remove medical debts paid by consumers. Furnishers are still expected to report paid medical collections with a status code 62 (and the removal will be done directly by the credit reporting agencies).

As of July 1, 2022, extend the waiting period before furnishing medical debt from 180 days to one year (past the date of first delinquency). Furnishers will have to wait until this time period expires before reporting the debt.

As of March 30, 2023, stop reporting medical debts under $500. Furnishers will have to suppress such reporting.

The credit reporting agencies may have preemptively taken this approach to avoid more draconian regulatory action by the CFPB.

Conclusion

Collecting medical debt has become more difficult in the past year. Increased regulation of medical debt has prevented many providers from receiving adequate value on their past-due accounts receivable.  Utilizing a patient-centric approach to recoveries and complying with all applicable laws can help ensure the effective liquidation of nonperforming receivables.

———————-

Disclaimer: This article is presented for educational and general informational purposes only. Neither Cascade365 nor the author represent or warrant that the content is accurate, complete, or current for any specific or particular purpose or application. This content is not intended to serve as legal or other advice and should not replace the advice of your own legal counsel. Cascade365 is the sole owner of the content and all associated copyrights.

[1] https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-bulletin-to-prevent-unlawful-medical-debt-collection-and-credit-reporting/

[2] https://www.consumerfinance.gov/about-us/newsroom/cfpb-estimates-88-billion-in-medical-bills-on-credit-reports/

[3] https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-director-rohit-chopra-on-new-cfpb-medical-debt-report/

PCI DSS 4.0 will replace the current operating version on March 31, 2024, and while most of the changes are a simple codification of best practices, it’s important for organizations to have important conversations about those changes internally and with their service providers now. 

Learn how the changes in PCI DSS 4.0 might affect your organization, and how much complying with those changes might cost, in this Executive Q&A with Steve Akers, CSO and CTO of TECH LOCK, Inc.

[article_ad]

Erin Kerr (EK) (00:07): Hi everyone. And thank you for joining me for this episode of our Executive Q&A. I am here today with Steve Akers, CSO and CTO of TECH LOCK Inc. Steve, how are you doing today?

Steve Akers (SA) (00:18): I’m doing great. How are you?

EK (00:19): I am doing really well. Today, we’re going to talk a little bit about what you need to know about PCI DSS 4.0. 

Before we get started, why don’t you tell us a little bit about yourself?

SA (00:31): As mentioned, I’m the Chief Security and Technology Officer here at TECH LOCK. I’ve been doing cyber security and compliance for 25 plus years. I’ve been a serial entrepreneur and I’ve been in the space for a really long time, from both sides of the table, whether on the end-customer side,or on a service provider side. I’ve seen both of those areas and bring a lot of experience to this discussion.

EK  (01:00): I’m excited to get into the topic. Before we get into some of the more difficult questions, why don’t you tell me: what is PCI DSS 4.0?

SA (01:11): The Payment Card and Industry Data Security Standard has been around for a long time, and it goes through iterations.

The most current, active iteration is 3.2.1. It’s been out there for a while, and every so often the PCI Security Standard Council will go through review and decide it’s time to update it, it’s time to modernize the standard to better align it with modern threats and attacks and different types of security technologies that are available. 4.0 is the most recent one, which was released a little bit earlier this year.

EK  (01:44): It sounds like the industry has been operating at the same standard for a while, so making a transition might be difficult for some people. How hard will that transition be?

SA (01:57): The biggest concern for most clients will be the new requirements. There are 13 new requirements that are effective for anyone who wants to be assessed under 4.0, but the remainder of those new requirements really aren’t applicable until March of 2025. So, you have some time.

[Of the 13 new requirements] most are focused on things like better documentation, assignment, and training related to roles and responsibilities. For many organizations, this has been part of their overall good cybersecurity practices anyway, so it shouldn’t be too difficult to achieve. Even if they haven’t been doing that, for the remainder [of requirements] that are effective in March of 2025, there are definitely some more technical and procedural controls that will require planning and discussion, much like what happened when PCI DSS first came onto the scene. The lead time should be enough for organizations to meet these [new requirements]. The key will ultimately be not to wait until the last minute, and having a plan for moving your organization forward.

EK  (03:05): It sounds like there’s a little bit of time to prepare, but how much change will this cause in our environment?

SA (03:12): The first thing to consider when answering that question is “what’s changed in the standard itself?” 

There are over 70 evolving requirements, which means that fundamentally, they’re asking organizations to do something different than before, either through a new requirement entirely, or by adding a bullet point to a previous requirement. 

Of those new requirements, around 47% are really policy and procedure related. 41% will be technology related, meaning there’s something new that they’ll need to do from a technical perspective. Thirteen  are what I call  assessment related. There’s additional assessments that they want you to [be prepared for]. Policy procedures and assessment components are changes, but I don’t think that they’re daunting for anyone who is already compliant.

As I mentioned earlier, the technical requirements will have some impact and really require organizations to modernize how they’re protecting their environments, their users, and how they protect what’s called the CDE or pan data. 

When you kind of move out of the requirements, the next category is what they call classification or guidance. What this really means is that the requirement hasn’t changed; rather the Security Standards Council felt that they needed to clear things up. They’re getting rid of some of the interpretation. For example, if you look at an old requirement like 1.7, basically it says you need to review your firewall rules every six months. Most people understand that, but what it didn’t say is what you should really be looking for during that review. Now in 4.0, that requirement is now 1.2.7, and  it replaces the word firewall with NSC or network security controls. They did that because they wanted to encompass cloud environments that don’t have the traditional kind of firewall that most people are used to.

The guidance makes it more clear what you should be reviewing.  Arguably in 4.0, what they’re asking for here is probably what you should have been doing all along. For organizations that have been doing this properly, the change shouldn’t be difficult, but [the change] gives more guidance, which I think is really important. Ultimately the remainder of the changes that are included in the standard are really more structural, and really don’t have any material impact for anyone that’s already compliant

EK  (05:43): Well, that’s good news. It sounds like it’s a codification of what most folks should already be doing, which leads me to my next question. How much more is this going to cost?

SA (05:54): We get that question asked all the time and I wish it was more clear cut, but it really comes down to a few concepts. 

First, it’s about internal technologies. Organizations that have leveraged technologies that are not modern, like a legacy antivirus, or a basic logging or outdated point of sales or payment card software, etc., may find the cost to be higher to meet 4.0 organizations. They need to begin looking at all of these soon so they can prepare. Sometimes upgrading is the best path, but organizations have been reluctant to upgrade if everything worked and it met the requirements, so 4.0 is forcing those changes. 

The second concept is really about your service providers. Organizations need to get ahead of 4.0 and their service providers now to understand if and how those service providers plan to, or are currently meeting 4.0 requirements. A number of the new requirements are very specific to service providers. So [organizations] need to get enough clarity from those service providers that allows them to properly plan for the changes and version upgrades, maybe even changing service providers if they don’t like the answers. Obviously if you do some of those things, that could incur costs that were not necessarily in the original plan.

The last concept is really around risk analysis and testing requirements earlier. Depending upon your maturity and confidence, this may be something that you would’ve liked to have that you might want to have accomplished by a third party. It’s certainly not required, but this could be an additional cost. Even if it’s to build it out for the first time, that was not necessarily something that [an organization] budgeted for.

As for any absolute number of ranges, unfortunately, there’s just not enough data and evidence to give a realistic gauge to say exactly how much it will cost, because it can vary so widely, given some of the concepts that I’ve talked about.

EK  (07:52):  It sounds like it will really depend on the size of the organization and what that organization needs, and how far they are already along in compliance

SA (08:00): Certainly.

EK  (08:03): I think you might have mentioned this a little bit earlier, but when are we required to be assessed against version 4.0?

SA (08:11): First, no one can be officially assessed until the actual QSAs have been properly trained in 4.0. Even though it’s been released they’re supposed to be kick off the training here in Q2.

But right now, no one will have to officially align with 4.0 until Q1 of 2024. What I’ve been telling clients and other people that we’ve been talking to is that by the end of 2023,  you want to make sure that you have all your ducks in a row, and that you have everything set and aligned with 4.0. Like I said, with 4.0, there are 13 new requirements that are effective immediately if you’re going to measure yourself under 4.0. Then there’s another subset of requirements that are effectively required by March of 2025. 

You’ve got some time, but the first date that will really matter for most organizations is Q1 of 2024.

EK  (09:17): Like you mentioned, [organizations] have some time to get their ducks in a row, but I think sometimes those far off deadlines can be a bit of a curse, because folks don’t see [those deadlines] as an emergent need. Then all of a sudden that deadline is knocking on the door. 

Steve, is there anything else you’d add for the audience about PCI DSS 4.0?

SA (09:39): I think you touched on it.  [Organizations] should start planning now. Some of these things will be different than what they’ve already had in place today. If you’re not sure about how certain requirements apply, or if you have the technology that would even align with this [requirement] you should reach out to your trusted advisors and ask those questions. Certainly we would love to be part of that too, but if you’ve got somebody that you really trust to go, talk to them now to get ahead of it. 

As I alluded to earlier, all the other people that are part of your cardholder environment and part of your payment processing, etc., [get those conversations] set up today. So that way you’ll know what their lead time might be and whether or not that could theoretically impact your organization.

EK  (10:23): That’s great advice, Steven. Thank you so much for talking with me about this really important topic that people should really get in front of, especially as, like I said, those deadlines come knocking. 

Thanks so much again for your time, and thanks to the audience for tuning to this episode of Executive Q&A.

PCI DSS 4.0 will replace the current operating version on March 31, 2024, and while most of the changes are a simple codification of best practices, it’s important for organizations to have important conversations about those changes internally and with their service providers now. 

Learn how the changes in PCI DSS 4.0 might affect your organization, and how much complying with those changes might cost, in this Executive Q&A with Steve Akers, CSO and CTO of TECH LOCK, Inc.

[article_ad]

Erin Kerr (EK) (00:07): Hi everyone. And thank you for joining me for this episode of our Executive Q&A. I am here today with Steve Akers, CSO and CTO of TECH LOCK Inc. Steve, how are you doing today?

Steve Akers (SA) (00:18): I’m doing great. How are you?

EK (00:19): I am doing really well. Today, we’re going to talk a little bit about what you need to know about PCI DSS 4.0. 

Before we get started, why don’t you tell us a little bit about yourself?

SA (00:31): As mentioned, I’m the Chief Security and Technology Officer here at TECH LOCK. I’ve been doing cyber security and compliance for 25 plus years. I’ve been a serial entrepreneur and I’ve been in the space for a really long time, from both sides of the table, whether on the end-customer side,or on a service provider side. I’ve seen both of those areas and bring a lot of experience to this discussion.

EK  (01:00): I’m excited to get into the topic. Before we get into some of the more difficult questions, why don’t you tell me: what is PCI DSS 4.0?

SA (01:11): The Payment Card and Industry Data Security Standard has been around for a long time, and it goes through iterations.

The most current, active iteration is 3.2.1. It’s been out there for a while, and every so often the PCI Security Standard Council will go through review and decide it’s time to update it, it’s time to modernize the standard to better align it with modern threats and attacks and different types of security technologies that are available. 4.0 is the most recent one, which was released a little bit earlier this year.

EK  (01:44): It sounds like the industry has been operating at the same standard for a while, so making a transition might be difficult for some people. How hard will that transition be?

SA (01:57): The biggest concern for most clients will be the new requirements. There are 13 new requirements that are effective for anyone who wants to be assessed under 4.0, but the remainder of those new requirements really aren’t applicable until March of 2025. So, you have some time.

[Of the 13 new requirements] most are focused on things like better documentation, assignment, and training related to roles and responsibilities. For many organizations, this has been part of their overall good cybersecurity practices anyway, so it shouldn’t be too difficult to achieve. Even if they haven’t been doing that, for the remainder [of requirements] that are effective in March of 2025, there are definitely some more technical and procedural controls that will require planning and discussion, much like what happened when PCI DSS first came onto the scene. The lead time should be enough for organizations to meet these [new requirements]. The key will ultimately be not to wait until the last minute, and having a plan for moving your organization forward.

EK  (03:05): It sounds like there’s a little bit of time to prepare, but how much change will this cause in our environment?

SA (03:12): The first thing to consider when answering that question is “what’s changed in the standard itself?” 

There are over 70 evolving requirements, which means that fundamentally, they’re asking organizations to do something different than before, either through a new requirement entirely, or by adding a bullet point to a previous requirement. 

Of those new requirements, around 47% are really policy and procedure related. 41% will be technology related, meaning there’s something new that they’ll need to do from a technical perspective. Thirteen  are what I call  assessment related. There’s additional assessments that they want you to [be prepared for]. Policy procedures and assessment components are changes, but I don’t think that they’re daunting for anyone who is already compliant.

As I mentioned earlier, the technical requirements will have some impact and really require organizations to modernize how they’re protecting their environments, their users, and how they protect what’s called the CDE or pan data. 

When you kind of move out of the requirements, the next category is what they call classification or guidance. What this really means is that the requirement hasn’t changed; rather the Security Standards Council felt that they needed to clear things up. They’re getting rid of some of the interpretation. For example, if you look at an old requirement like 1.7, basically it says you need to review your firewall rules every six months. Most people understand that, but what it didn’t say is what you should really be looking for during that review. Now in 4.0, that requirement is now 1.2.7, and  it replaces the word firewall with NSC or network security controls. They did that because they wanted to encompass cloud environments that don’t have the traditional kind of firewall that most people are used to.

The guidance makes it more clear what you should be reviewing.  Arguably in 4.0, what they’re asking for here is probably what you should have been doing all along. For organizations that have been doing this properly, the change shouldn’t be difficult, but [the change] gives more guidance, which I think is really important. Ultimately the remainder of the changes that are included in the standard are really more structural, and really don’t have any material impact for anyone that’s already compliant

EK  (05:43): Well, that’s good news. It sounds like it’s a codification of what most folks should already be doing, which leads me to my next question. How much more is this going to cost?

SA (05:54): We get that question asked all the time and I wish it was more clear cut, but it really comes down to a few concepts. 

First, it’s about internal technologies. Organizations that have leveraged technologies that are not modern, like a legacy antivirus, or a basic logging or outdated point of sales or payment card software, etc., may find the cost to be higher to meet 4.0 organizations. They need to begin looking at all of these soon so they can prepare. Sometimes upgrading is the best path, but organizations have been reluctant to upgrade if everything worked and it met the requirements, so 4.0 is forcing those changes. 

The second concept is really about your service providers. Organizations need to get ahead of 4.0 and their service providers now to understand if and how those service providers plan to, or are currently meeting 4.0 requirements. A number of the new requirements are very specific to service providers. So [organizations] need to get enough clarity from those service providers that allows them to properly plan for the changes and version upgrades, maybe even changing service providers if they don’t like the answers. Obviously if you do some of those things, that could incur costs that were not necessarily in the original plan.

The last concept is really around risk analysis and testing requirements earlier. Depending upon your maturity and confidence, this may be something that you would’ve liked to have that you might want to have accomplished by a third party. It’s certainly not required, but this could be an additional cost. Even if it’s to build it out for the first time, that was not necessarily something that [an organization] budgeted for.

As for any absolute number of ranges, unfortunately, there’s just not enough data and evidence to give a realistic gauge to say exactly how much it will cost, because it can vary so widely, given some of the concepts that I’ve talked about.

EK  (07:52):  It sounds like it will really depend on the size of the organization and what that organization needs, and how far they are already along in compliance

SA (08:00): Certainly.

EK  (08:03): I think you might have mentioned this a little bit earlier, but when are we required to be assessed against version 4.0?

SA (08:11): First, no one can be officially assessed until the actual QSAs have been properly trained in 4.0. Even though it’s been released they’re supposed to be kick off the training here in Q2.

But right now, no one will have to officially align with 4.0 until Q1 of 2024. What I’ve been telling clients and other people that we’ve been talking to is that by the end of 2023,  you want to make sure that you have all your ducks in a row, and that you have everything set and aligned with 4.0. Like I said, with 4.0, there are 13 new requirements that are effective immediately if you’re going to measure yourself under 4.0. Then there’s another subset of requirements that are effectively required by March of 2025. 

You’ve got some time, but the first date that will really matter for most organizations is Q1 of 2024.

EK  (09:17): Like you mentioned, [organizations] have some time to get their ducks in a row, but I think sometimes those far off deadlines can be a bit of a curse, because folks don’t see [those deadlines] as an emergent need. Then all of a sudden that deadline is knocking on the door. 

Steve, is there anything else you’d add for the audience about PCI DSS 4.0?

SA (09:39): I think you touched on it.  [Organizations] should start planning now. Some of these things will be different than what they’ve already had in place today. If you’re not sure about how certain requirements apply, or if you have the technology that would even align with this [requirement] you should reach out to your trusted advisors and ask those questions. Certainly we would love to be part of that too, but if you’ve got somebody that you really trust to go, talk to them now to get ahead of it. 

As I alluded to earlier, all the other people that are part of your cardholder environment and part of your payment processing, etc., [get those conversations] set up today. So that way you’ll know what their lead time might be and whether or not that could theoretically impact your organization.

EK  (10:23): That’s great advice, Steven. Thank you so much for talking with me about this really important topic that people should really get in front of, especially as, like I said, those deadlines come knocking. 

Thanks so much again for your time, and thanks to the audience for tuning to this episode of Executive Q&A.