The PCI  Standards Security Council (PCI SSC) published the latest update to the PCI DSS v4.0 that has significantly shifted the focus on outcome-based. requirements. The core 12 PCI DSS requirements remained unchanged fundamentally with the revised version, however they are now realigned to significantly address how the security controls should be implemented.
PCI DSS v4.0 includes a number of changes and option to implement and validate PCI DSS requirements.
Requirement 1 : Install and Maintain Network Security Controls – Such as Firewalls and any other Network security Technologies such as VPC’s, Security Groups helps the entities to control the traffic between In/Out of their network and Internal network Segments physically or logically.
- Organizations needs to establish a robust Processes and mechanisms for installing and maintaining network security controls should be defined and communicate with all the stakeholders.
- Network security controls (NSCs) should be securely configured and maintained regularly.
- Network access to and from the cardholder data environment is restricted with predefined rules and policies.
- Network connections between trusted and untrusted networks are controlled.
- Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Requirement 2 : Apply Secure Configurations to All System Components like Firewalls, Routers, Switches, Applications, Databases and any other Network security devices, End User devices etc.,
- Organizations needs to establish a robust Processes and mechanisms for applying secure configurations to all system components are defined and understood.
- System components are configured securely and managed securely.
- If organization using any Wireless environments, then such environments are configured and managed securely.
Requirement 3 : Protect Stored Account Data Like Card Holder Data (CHD) and Sensitive Authentication Data (CHD). Read our FAQ’s.
- Organizations needs to establish a robust Processes and mechanisms for protecting stored account data are defined and understood.
- Storage of account data is kept to a minimum as per the business and regulatory requirements.
- Sensitive authentication data (SAD) is not stored after authorization even if it is encrypted.
- Access to displays of full PAN and ability to copy cardholder data are restricted.
- Primary account number (PAN) is secured wherever it is stored.
- Cryptographic keys used to protect stored account data are secured.
Requirement 4 : Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Network.
- Organizations needs to establish a robust Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
- PAN is protected with strong cryptography during transmission.
Requirement 5 : Protect All Systems and Networks from Malicious Software like viruses, worms, Trojans, spyware, and rootkits etc.,
- Organizations needs to establish a robust Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
- Malicious software (malware) is prevented or detected and addressed.
- Anti-malware mechanisms and processes are active, maintained, and monitored.
- Anti-phishing mechanisms protect users against phishing attacks.
Requirement 6 : Develop and Maintain Secure Systems and Software
- Organizations needs to establish a robust Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
- Bespoke and custom software are developed securely.
- Security vulnerabilities are identified and addressed in timely manner
- Public-facing web applications are protected against attacks like Man-In Middle attacks etc.,
- Changes to all system components are managed securely