A new way that we see reporting changing in v4.0 is that it brings in a new process for when you miss a requirement and how it could still be considered as meeting your compliance requirements. It’s not a “get out of jail free” card, and it’s not an excuse to miss PCI requirements. But we all know that things happen. So make sure when planning for v4.0 you have a process for any PCI activities with a specified or periodic frequency that includes:
A prompt notification when a task is not performed at it’s defined frequency
A process to determine the events that led to missing the scheduled activity
Performing the activity as soon as possible after it is missed and then either gets back on schedule or creates a new schedule
You document all of these above points.
But, if you don’t have these processes or the task was missed because of oversight, mismanagement, or because you didn’t have any monitoring that would let you meet the first bullet point, you’re unlikely to be able to demonstrate your compliance with the missed requirement until:
You document the process to make sure the task is performed on time
You re-establish your schedule
You provide evidence you’re back on schedule (e.g. you perform the task on schedule and provide evidence of this)
Start looking at your processes now so you can figure out how to get notifications to keep your regularly scheduled tasks on time and minimise the risk of falling out of compliance.