How to Keep Your Legacy Systems Compliant Under PCI DSS 4.0

When King George V died in 1936, he probably expected to smoothly pass his crown onto his eldest son, who would be crowned the new king. Everyone in the United Kingdom was comfortable with how the legacy of the constitutional monarchy worked, by that point, so they likely hoped for a smooth transition.

However, King Edward would abdicate the British throne in less than a year, throwing the country into a constitutional crisis. Despite the surprise, the U.K. did quickly find a way forward through his younger brother and the country forged forward in history.

Reminiscent of Britain’s comfort in their legacy monarchy, you’ve grown used to PCI DSS v3.2.1. And like our allies across the Atlantic back in 1936, you are hoping for a smooth transition to v4.0 in maintaining compliance for your legacy systems.

PCI DSS v3.2.1 may be the way you’ve done it for years, but PCI DSS v4.0 is here now. While your business environment is not a kingdom, there is a cautionary tale here. To avoid the kind of chaos the U.K. endured while they sorted out who was going to run the country back then, it’s going to be very important that you understand all the new aspects of this new standard going forward.

That includes how it affects the compliance of your legacy systems.

At Schellman, we’ve had some time to parse through the complexities of this game-changing PCI DSS v4.0, and we’re doing our best to deconstruct everything we can for you as we all get used to the new way of doing things.

That’s why we’re going to outline how to keep your legacy systems compliant with the new requirements of PCI DSS v4.0. In this article, we’ll delve into the particular challenges this new standard will pose for these kinds of systems, as well as suggested courses of action to mitigate them.

It’ll be up to you to do the work, but after reading this, you’ll be likelier to avoid a King Edward situation where one of these systems abruptly falls out of compliance and affects your assessment.

What are the Challenges with Legacy Systems in PCI DSS Compliance?

If you’ve been in payment security for a while, you know that keeping older systems compliant under the PCI DSS has always had its challenges. Even now, your problems might range from:

  • Vulnerability/patch management support;
  • Authentication and password limitations;
  • Hardware support; and
  • Closed proprietary technologies that do not easily communicate under more modern architectures.

All that, plus everything in-between, including problems keeping your staff trained and knowledgeable regarding these older systems.

The easy solution would be to abandon the legacy system and adopt a new one, right? But in practice, that’s often not such a simple choice. It’s likely your legacy system is also a core system for your business, and replacing it would be no small undertaking. Thinking about the transition costs alone probably has you grimacing.

The point is that you’re keeping your legacy systems around. And if you’re doing that, there will be plenty of opportunities to run afoul of the PCI DSS. But while previous revisions of the PCI DSS probably caused some stress in keeping such a system compliant, we’re going to do our best to ensure this one makes for a less painful change for you.

How Does PCI DSS v4.0 Affect Legacy Systems?

So, what are your options with PCI DSS 4.0 and your legacy systems? What are the specific new challenges? Among all the new updates in this revision, there are some things you’ll need to address specific to your legacy systems.

Chief among these will be:

  • New Technical Requirements: Your systems may not even be able to comply due to their specific design limitations, particularly when it comes to items like the new multi-factor authentication and password requirements.
  • New Governance Requirements: PCI DSS now mandates increased risk analyses, but your legacy systems may have specific control weaknesses in this area.
  • New Architectural Requirements: Similar to the concerns over new technical requirements, your overall legacy design may not support newly required controls such as segmentation for multiple customers. 

What Does PCI DSS v4.0 Suggest to Help Keep Your Legacy Systems Compliant?

That was the bad news. Now for the good.

Fortunately, there are some clearly defined things you can do in addressing these challenges of PCI DSS v4.0:

  • Perform Targeted Risk Analysis. This is the number one thing that you need to do first.
    • As required under the PCI DSS 4.0, targeted risk analysis could serve a variety of circumstances (e.g., if you wanted to define the cadence and/or frequency of a control).  
    • While there are no specific requirements mandating a targeted risk analysis for legacy systems, per se, such an analysis would prove very useful for identifying threats, vulnerabilities, and risks while also gauging them against the compliance requirements of the PCI DSS.
  • Implement Required Upgrades in Advance of PCI DSS 4.0.
    • You may already know of some updates you need to install, and some others may emerge from your targeted risk analysis.
    • In either case, these required upgrades must be in place by the time of your first PCI DSS v4.0 assessment.
  • Update any Current Compensating Controls for PCI DSS 4.0.
    • Are you using compensating controls for your legacy system under PCI DSS 3.2.1? It’s time to identify, revise, and update them for version 4.0. These compensating controls should be included in any targeted risk analysis.
  • Determine if You Need a Customized Approach.
    • This may be necessary if you find that the compensating control model is insufficient for use in your system(s) to satisfy the new 4.0 requirements.  
    • If this does become the case, be advised that taking a customized approach for a requirement is not a trivial matter and will take considerable planning and effort to execute successfully.
  • Engage in a PCI DSS 4.0 Readiness Assessment.
    • Not only can you tailor a readiness assessment to take special considerations for legacy systems, but you can also use it to help identify other specific areas of weakness. Readiness results can provide better direction on what you should prioritize ahead of your first PCI DSS v4.0 assessment.
    • If this is a route you’d like to explore, please feel free to contact us. In a conversation we’ll set up, we can go over what a readiness assessment looks like for your organization. 

Moving Forward in Your Transition to PCI DSS 4.0

PCI DSS is making major changes through its new version, and keeping your legacy systems compliant may seem as complicated as King Edward’s abdication made Britain’s royal family relations.

These older systems may be as ingrained in your business as the monarchy is in the U.K., and that means there’s no getting around their challenges in compliance. But now you at least know what in particular to address regarding your legacy systems as well as potential ways to mitigate those hurdles.

To ensure you address all the new specificities of PCI DSS v4.0, read our other articles:

The information in these will help you maintain your path to compliance under this new standard, and they’ll also provide some more direction on preparation.

But if you find that you would rather talk it out with someone, please email our PCI team directly at pci@schellman.com. Together, we will work through the effects of this version on your organization so that you feel more comfortable heading into the transition.

About the Author

David Moody

David Moody, FRAS is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman, David worked in various areas of IT consulting, PCI, GLBA, and FISMA assessments, public accounting, litigation support, journalism, and higher education. David is a CPA, and holds additional CISSP, CISA, QSA, and PA-QSA certifications. He has over 30 years of experience serving global clients in various industries including telecommunications, banking, financial services, construction, retail, and not-for-profit charities.

More Content by David Moody
Previous Video
Keeping An Eye On PCI - Review of PCI DSS V4.0
Keeping An Eye On PCI - Review of PCI DSS V4.0

Next Article
Factoring In the New Multi-Factor Authentication Requirements in PCI DSS 4.0
Factoring In the New Multi-Factor Authentication Requirements in PCI DSS 4.0

MFA has expanded in a big way under PCI DSS v4.0. Read our breakdown on the newly transformed requirements ...