PCI DSS v4 Core 12 Requirements – Part 2

PCI DSS 4.0 Requirement 7 -  Requirement  12 covers multiple aspects, like restriction on the cardholder data, network and user access, testing of ongoing systems and how organizations maintain their infosec policy.

Requirement 7 : Restrict Access to System Components and Cardholder Data by Business Need to Know

  • Organizations needs to establish a robust Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood
  • Access to system components and data is appropriately defined and assigned
  • Access to system components and data is managed via an access control system(s).

Requirement 8 : Identify Users and Authenticate Access to System Components

  1. Organizations needs to establish a robust Processes and mechanisms for identifying users and authenticating access to system components are defined and understood
  2. User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle
  3. Strong authentication for users and administrators is established and managed
  4. Organization must enforce multi-factor authentication (MFA) is implemented to secure access into the CDE
  5. Organization must enforce multi-factor authentication (MFA) systems are configured to prevent any misuse.
  6. Use of application and system accounts and associated authentication factors is strictly managed.

Requirement 9 : Restrict Physical Access to Cardholder Data

  1. Organizations needs to establish a robust Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
  2. Physical access controls manage entry into facilities and systems containing cardholder data.
  3. Physical access for personnel and visitors is authorized and managed.
  4. Media with cardholder data is securely stored, accessed, distributed, and destroyed.
  5. Point of interaction (POI) devices are protected from tampering and unauthorized substitution

Requirement 10 : Log and Monitor All Access to System Components and Cardholder Data

  1. Organizations needs to establish a robust Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
  2. Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
  3. Audit logs are protected from destruction and unauthorized modifications.
  4. Audit logs are reviewed to identify anomalies or suspicious activity.
  5. Audit log history is retained and available for analysis.
  6. Time-synchronization mechanisms support consistent time settings across all systems.
  7. Failures of critical security control systems are detected, reported, and responded to promptly.

Requirement 11 : Test Security of Systems and Networks Regularly

  1. Organizations needs to establish a robust Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
  2. Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
  3. External and internal vulnerabilities are regularly identified, prioritized, and addressed
  4. External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected
  5. Network intrusions and unexpected file changes are detected and responded to.
  6. Unauthorized changes on payment pages are detected and responded to.

Requirement 12 : Support Information Security with Organizational Policies and Programs

A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known.

  1. Acceptable use policies for end-user technologies are defined and implemented
  2. Risks to the cardholder data environment are formally identified, evaluated, and managed.
  3. PCI DSS compliance is managed
  4. PCI DSS scope is documented and validated
  5. Security awareness education is an ongoing activity
  6. Personnel are screened to reduce risks from insider threats
  7. Risk to information assets associated with third-party service provider (TPSP) relationships is managed
  8. Third-party service providers (TPSPs) support their customers’ PCI DSS compliance
  9. Suspected and confirmed security incidents that could impact the CDE are responded to immediately


Stay Tuned, for more information and updates on payment security !!


LinkedIn Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.

X