PCI DSS 4.0 Requirement 7 -  Requirement  12 covers multiple aspects, like restriction on the cardholder data, network and user access, testing of ongoing systems and how organizations maintain their infosec policy.
Requirement 7 : Restrict Access to System Components and Cardholder Data by Business Need to Know
- Organizations needs to establish a robust Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood
- Access to system components and data is appropriately defined and assigned
- Access to system components and data is managed via an access control system(s).
Requirement 8 : Identify Users and Authenticate Access to System Components
- Organizations needs to establish a robust Processes and mechanisms for identifying users and authenticating access to system components are defined and understood
- User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle
- Strong authentication for users and administrators is established and managed
- Organization must enforce multi-factor authentication (MFA) is implemented to secure access into the CDE
- Organization must enforce multi-factor authentication (MFA) systems are configured to prevent any misuse.
- Use of application and system accounts and associated authentication factors is strictly managed.
Requirement 9 : Restrict Physical Access to Cardholder Data
- Organizations needs to establish a robust Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
- Physical access controls manage entry into facilities and systems containing cardholder data.
- Physical access for personnel and visitors is authorized and managed.
- Media with cardholder data is securely stored, accessed, distributed, and destroyed.
- Point of interaction (POI) devices are protected from tampering and unauthorized substitution
Requirement 10 : Log and Monitor All Access to System Components and Cardholder Data
- Organizations needs to establish a robust Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
- Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
- Audit logs are protected from destruction and unauthorized modifications.
- Audit logs are reviewed to identify anomalies or suspicious activity.
- Audit log history is retained and available for analysis.
- Time-synchronization mechanisms support consistent time settings across all systems.
- Failures of critical security control systems are detected, reported, and responded to promptly.
Requirement 11 : Test Security of Systems and Networks Regularly
- Organizations needs to establish a robust Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
- Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
- External and internal vulnerabilities are regularly identified, prioritized, and addressed
- External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected
- Network intrusions and unexpected file changes are detected and responded to.
- Unauthorized changes on payment pages are detected and responded to.
Requirement 12 : Support Information Security with Organizational Policies and Programs
A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known.
- Acceptable use policies for end-user technologies are defined and implemented
- Risks to the cardholder data environment are formally identified, evaluated, and managed.
- PCI DSS compliance is managed
- PCI DSS scope is documented and validated
- Security awareness education is an ongoing activity
- Personnel are screened to reduce risks from insider threats
- Risk to information assets associated with third-party service provider (TPSP) relationships is managed
- Third-party service providers (TPSPs) support their customers’ PCI DSS compliance
- Suspected and confirmed security incidents that could impact the CDE are responded to immediately
Stay Tuned, for more information and updates on payment security !!