Breaking Down the PCI DSS 4.0 Requirements

The PCI 4.0 requirements were made publicly available in March 2022. They cover most of the same ground as prior versions’ requirements, with special attention paid to common areas of security like risk mitigation and access control. Compliance requires implementing all PCI 4.0 requirements.

Are you prepared for full PCI DSS compliance? Schedule a consultation to find out!

 

The PCI DSS 4.0 Requirements, Explained

After much deliberation, the Security Standards Council (SSC) of the Payment Card Industry (PCI) released version 4.0 of the Data Security Standard (DSS) in March 2022. Many experts had expected changes to the framework’s requirements and thus a complicated preparation for PCI DSS 4.0 validation, even for organizations that had achieved compliance in the past.

But, in practice, PCI DSS v4 changes little about the overall compliance process for most organizations. The baseline controls remain the same, although there is slightly more flexibility to meet them with compensating controls or the customized approach for PCI assessment.

Below, we’ll break down the PCI DSS 4.0 requirements across the six groups they’re distributed in within the DSS. These requirements all need to be implemented to achieve PCI compliance.

 

---

Download Free PCI DSS 4.0 Compliance Checklist

---

 

Building and Maintaining Network Security Controls

These are baseline safeguards defining default security settings and configurations:

• Requirement 1: Install and Maintain Network Security Controls – 

• • • 1.1: Processes for maintaining network security are clearly defined
    • 1.2: Network Security Controls (NSC) are configured and managed
    • 1.3: Access to the CHD environment (CDE) is restricted
    • 1.4: Connections between all networks are controlled
    • 1.5: Risks to the CDE from untrusted networks are mitigated

• Requirement 2: Apply Secure Configurations to System Components – 

• • 2.1: Processes for applying secure configurations are clearly defined
  • 2.2: All system components are securely configured and managed
  • 2.3: All wireless environments are securely configured and managed

 

Assess your PCI compliance

 

Protecting Account Data in Storage and Transmission

These controls account for safe data storage and processing across all networks:

• Requirement 3: Protect Stored Account Data – 

• • • 3.1: Processes for protecting stored account data are clearly defined
    • 3.2: Account data in storage is kept to the minimum amount necessary
    • 3.3: Sensitive account data (SAD) is not kept in storage after authorization
    • 3.4: View and copy access to primary account numbers (PAN) is restricted
    • 3.5: PANs and related data are secure everywhere they exist in storage
    • 3.6: Cryptographic keys used to protect account data are secured
    • 3.7: Processes for managing keys securely are clearly defined

• Requirement 4: Encrypt CHD for Transmission on Open Networks – 

• • 4.1: Processes for encrypting CHD are clearly defined
  • 4.2: PANs are secured with strong cryptography for transmission

Maintaining a Vulnerability Management Program

These measures account for and mitigate risks proactively:

• Requirement 5: Protect Systems from Malicious Software – 

• • • 5.1: Processes for protecting against malware are clearly defined
    • 5.2: Malicious software is detected, prevented, and/or addressed
    • 5.3: Anti-malware mechanisms are installed and actively monitored
    • 5.4: Anti-phishing mechanisms are in place to protect users from scams

• Requirement 6: Develop and Maintain Secure Systems and Software – 

• • 6.1: Processes for developing secure systems are clearly defined
  • 6.2: All custom or bespoke software is developed securely
  • 6.3: Vulnerabilities to software are identified and addressed
  • 6.4: Public-facing web apps are safeguarded against attacks
  • 6.5: All changes to apps and software are managed securely

 

Implementing Strong Access Controls

These measures control and restrict access to sensitive data:

• Requirement 7: Restrict Access to CHD by Business Need to Know – 

• • • 7.1: Processes for restricting access by business need are clearly defined
    • 7.2: Access to system components is appropriately defined and assigned
    • 7.3: Access to system components is managed systematically

• Requirement 8: Identify Users and Authenticate Access to Systems – 

• • 8.1: Processes for identification and authentication are clearly defined
  • 8.2: All user and admin IDs are managed throughout accounts’ lifecycles
  • 8.3: Strong authentication is established for user and admin accounts
  • 8.4: Multi-factor authentication (MFA) is used to secure CDE access
  • 8.5: MFA systems are configured securely to prevent misuse
  • 8.6: Use of accounts and authenticating factors is strictly managed
• Requirement 9: Restrict Physical Access to CHD Environments – 
  • 9.1: Processes for physically restricting access to the CDE are clearly defined
  • 9.2: Physical access controls mediate entry into all areas containing CHD
  • 9.3: Physical access for visitors and personnel is authorized and managed
  • 9.4: All media containing CHD is stored, accessed, and destroyed securely
  • 9.5: Point of interaction (POI) devices are protected against misuse

 

Monitoring and Testing Networks Regularly

These protocols ensure the smooth functioning of security infrastructure:

• Requirement 10: Log and Monitor Access to System Components – 

• • • 10.1: Processes for logging and monitoring access are clearly defined
    • 10.2: Audit logs are used to support threat detection and forensic analysis
    • 10.3: Audit logs are safeguarded against unauthorized changes
    • 10.4: Audit logs are reviewed to identify suspicious activity
    • 10.5: Audit log history is retained for future forensic analysis
    • 10.6: Time-synchronization measures support consistent time settings
    • 10.7: Failures of security systems are detected, reported, and responded to

• Requirement 11: Test System and Network Security Regularly – 

• • 11.1: Processes for network security testing are clearly defined
  • 11.2: Wireless access points are monitored; unauthorized points are addressed
  • 11.3: Internal and external vulnerabilities are identified, prioritized, and addressed
  • 11.4: Internal and external penetration tests are performed regularly
  • 11.5: Network intrusions and unexpected changes are detected and addressed
  • 11.6: Unauthorized changes on payment pages are detected and addressed

Maintaining Information Security Policies

These safeguards govern top-down security assurance through formal policies:

• Requirement 12: Support Information Security with Policies and Programs – 

• • 12.1: Comprehensive security policies for information assets are kept current
  • 12.2: Policies defining acceptable uses for technologies are implemented
  • 12.3: Risks to the CDE are formally identified, evaluated, and managed
  • 12.4: Processes for seamless PCI DSS compliance are managed
  • 12.5: PCI DSS scope is carefully documented and validated
  • 12.6: Employees are continuously trained on security awareness
  • 12.7: Personnel are screened to minimize the risk of insider threats
  • 12.8: Third-party service provider risks are managed thoroughly
  • 12.9: Third-party service providers support customers’ compliance
  • 12.10: Incidents that could impact the CDE are responded to immediately

 

Additional PCI Compliance Considerations

The requirements above form the core of controls that all organizations need to account for to be PCI DSS compliant. However, there are additional requirements applicable to multi-tenant service providers, those using SSL or early TLS for card-present POS terminals, and others.

Consulting with a PCI DSS advisor or assessor will help you determine whether and how these additional requirements apply to your organization, along with how to satisfy them efficiently.

Organizations faced with legitimate technical or business challenges to meeting PCI DSS Requirements may be able to use compensating controls to meet them instead. By using a worksheet provided within the DSS, organizations can document how an alternative control meets the same security standard required by a given PCI DSS control, even if it uses alternative methods. But this must be confirmed by a Qualified Security Assessor (QSA).

Organizations with more mature security implementations can also look into the Customized Approach for PCI DSS compliance. Compensating controls allow for alternative methods to satisfy audit requirements as long as they meet or exceed the purposes of PCI-specified controls. For example, organizations might have identity and access management (IAM) measures in place that exceed the security threshold of PCI DSS 4.0 password requirements, and the Customized Approach would allow these to stand in for the PCI-specified controls.

 

Download Free PCI DSS 4.0 Datasheet

 

Optimize Your PCI DSS Compliance Today

Achieving and maintaining compliance with PCI DSS version 4 means implementing the controls detailed above—plus additional requirements, if necessary—and assessing per the requirements of your PCI level. Customized or compensating controls may substitute or facilitate some of the specific implementations, but the general process is mostly the same.

RSI Security has helped countless organizations manage their PCI compliance. We believe that discipline creates freedom, and installing rigorous security now enables growth down the line.

To learn more about meeting the PCI DSS 4.0 requirements, contact RSI Security today!