Compliance with the Payment Card Industry 4.0 framework is critical to safeguarding cardholder data from cybersecurity threats that could compromise its integrity, availability, privacy, and security. The recently released version of the PCI DSS, version 4, contains various controls to help safeguard customers’ cardholder data. Read on to learn all you need to know about them.
Breakdown of the Payment Card Industry 4.0 Framework
Following the recent release of the Payment Card Industry 4.0 framework, organizations that handle cardholder data (CHD) must comply with the PCI DSS v4 Requirements. That means implementing its recommended safeguards to keep CHD safe from cybersecurity threats.
To help you optimize your PCI DSS compliance, this blog will cover:
- Updates to the PCI DSS framework and the release of PCI DSS 4.0
- A comprehensive list of the PCI DSS v4 Requirements
The specific safeguards you implement when complying with the Payment Card Industry 4.0 framework will depend on your business or security needs. In most cases, achieving or maintaining PCI DSS compliance is easiest with the help of a PCI compliance advisor.
Updates to the PCI DSS Framework – PCI DSS v4
Since it was established by the Payment Card Industry (PCI) Security Standards Council (SSC), the PCI Data Security Standards (DSS) framework has helped organizations safeguard the CHD they process from cybersecurity threats. The previous version of the PCI DSS, 3.2.1, became effective in May 2018. And in March 2022, the new PCI DSS v4 was released.
Many of the changes to PCI DSS v3.2.1 reflected in the Payment Card Industry 4.0 framework are centered around helping organizations better implement the framework’s requirements. Specifically, the updated PCI DSS Requirements in version 4 will equip organizations with up-to-date resources and tools to effectively mitigate emerging cybersecurity threats from the widespread use of newer technologies and more flexible approaches and solutions.
Transitioning to the PCI DSS 4.0 Framework
Preparing your organization to update existing controls to those required by the Payment Card Industry 4.0 framework will be critical to safeguarding sensitive CHD environments (CDE).
Luckily, organizations that have been either partially or fully reliant on the controls in PCI DSS v3.2.1 have until the end of March 2024 to gain familiarity with PCI DSS v4 and implement its requirements. After March 2024, only PCI DSS 4.0 will be recognized as the active version of the PCI DSS framework. Compliance with the PCI DSS v4 will help you prevent data breaches, which can have significant legal, financial, and reputational consequences.
What are the 12 Requirements of the PCI DSS v4?
Broadly speaking, the Payment Card Industry 4.0 Requirements are relatively similar to their counterparts in earlier versions of the DSS. They help organizations implement technical and operational controls that will minimize the risks of security threats or mitigate them altogether.
The 12 Requirements listed in the Payment Card Industry 4.0 framework break down as follows:
Requirement 1 – Implement Network Security Controls (NSCs)
Requirement 1 of the PCI DSS mandates implementation of network security controls (NSCs). For example, you need to install firewalls and network security technologies) to control the flow of network traffic between logical or physical network segments of varying security levels.
Implementing NSCs will help protect sensitive CHD environments from untrusted networks, like:
- The Internet (via web or email applications)
- Public or unsecured wireless networks
- Third-party networks
- Corporate networks outside the scope of PCI DSS
Compliance with Requirement 1 of the PCI DSS involves:
- Defining and disseminating clear guidelines on the implementation of NSCs
- Configuring and maintaining NSCs to the security standards required by the PCI DSS
- Restricting access to environments containing CHD
- Controlling the network connections to or from untrusted and trusted networks
- Minimizing the security risks to CDE posed by devices connected to untrusted networks
Leveraging NSCs to keep your networks and CDE secure will help mitigate unknown and known network security risks.
Requirement 2 – Secure System Components
System components that are involved in processing CHD must be secured to mitigate the risks of cybercriminals accessing sensitive CDE. Per PCI DSS 4.0 Requirement 2, you must secure the system configurations to minimize the vulnerabilities that can be exploited by perpetrators.
System components can be secured by:
- Changing the default passwords pre-installed on systems
- Disabling or removing unnecessary software, services, accounts, or functions from systems
- Implementing tested, industry-standard configuration standards that can address known security vulnerabilities
- Securing wireless environments connected to CDE by changing vendor defaults
Most importantly, the processes and mechanisms for securing systems should be clearly defined and understood by members of your organization.
Requirement 3 – Safeguard Stored Account Data
According to PCI DSS v4, the best way to protect any account data you handle is to minimize its storage. If you must store account data, the following safeguards will help you keep it safe:
- Clearly defining the established processes and mechanisms for securing account data storage across the organization
- Avoiding the storage of sensitive authentication data (SAD) following authorization at payment channels
- Restricting access to displays of full primary account numbers (PANs) or any attempts to copy CHD when displayed
- Securing PANs wherever they are stored using methods such as:
- Leveraging cryptographic keys to protect account data storage
- Implementing key management processes for all cryptographic account data safeguards
Furthermore, any technologies or processes that could compromise the sensitivity of stored account data must be secured to mitigate the risks of data breaches.
Requirement 4 – Secure the Transmission of CHD Over Open Networks
Any transmission of CHD over open, public networks must be secured to keep data confidential and to prevent threats to its integrity. Requirement 4 mandates the encryption of PAN while it is transmitted over public or untrusted networks that may be exposed to perpetrators.
Securing the transmission of CHD over open, public networks is dependent on the use of:
- Trusted cryptographic keys and security certificates
- Valid and unexpired security certificates
- Secure versions of cryptography tools
- Strong encryption methodologies
For CHD transmission to be effectively secured, all personnel involved in handling CHD must be fully aware and trained on how to implement security and cryptographic tools and processes.
Requirement 5 – Safeguard Systems Against Malware
According to PCI DSS 4.0 Requirement 5, organizations must protect their systems from malicious software (malware) intrusion. Malware, if uncontrolled, can stealthily infiltrate your systems or networks and compromise your sensitive data environments.
Malware may include, but is not limited to:
- Trojan horses
To safeguard your systems from malware, you must:
- Define and implement processes for managing malware threats
- Detect malware promptly and mitigate its intrusion or spread across systems
- Implement, monitor, and maintain anti-malware tools
- Safeguard users from phishing attacks via anti-phishing mechanisms
With the help of the right anti-malware tools and processes, you will be well-prepared to address malware threats early on, mitigating any malware intrusion that could compromise CDE.
Requirement 6 – Protect Systems and Software
Systems and software that handle CHD must also be secured to minimize security threats data breaches. PCI DSS v4 Requirement 6 stipulates several processes to help you protect them:
- Developing custom and bespoke software using secure tools
- Identifying security vulnerabilities early on and mitigating them promptly
- Securing public-facing web applications from security threats
- Securely managing any changes to system components
When it comes to protecting CHD and complying with the PCI DSS, security patching is critical, per Requirement 6. Developing systems to deploy and manage security patches will help mitigate the risks of cybercriminals exploiting security vulnerabilities to gain access to CDE.
Requirement 7 – Secure Access to System Components and CHD
Per PCI DSS 4.0 Requirement 7, all access to system components and CHD should be restricted by business need to prevent unauthorized access to CDE. More importantly, your organization should define and implement systems to provide access on a strict need-to-know basis and with the least privileges principle. As such, you should develop processes to:
- Assign access to CDE and system components
- Manage access via access control systems
The access control safeguards listed in PCI DSS Requirement 7 apply to any party that handles CHD, whether it be employees, third-party vendors, contractors, or consultants.
Requirement 8 – Implement User Access and Authentication Controls
Besides managing the delegation of access controls, it is also critical to implement processes for automatically identifying and authenticating users that gain access to system components in the CDE. Per PCI DSS 4.0 Requirement 8, organizations must implement access controls like:
- Managing user and administrator accounts throughout their lifecycle
- Establishing strong authentication processes for users and administrators
- Leveraging multifactor authentication (MFA) to safeguard access to CDE
- Deploying controls to manage the use of authentication tools
Effectively managing access controls will keep CDEs safe and prevent cybercriminals from gaining unauthorized access to users, applications, or system accounts.
Requirement 9 – Restrict Access to Physical CHD
Without controls that restrict physical access to physical CHD, perpetrators can easily gain access to CDE and compromise its sensitivity. Requirement 9 controls safeguard CDE by:
- Managing entry into the physical locations containing CHD such as facilities or systems
- Authorizing physical access to CDE for visitors and personnel
- Implementing processes to safely store, distribute, or destroy media containing CHD
- Mitigating unauthorized access to or tampering with point-of-interaction (POI) devices
To streamline the implementation of PCI DSS Requirement 9 safeguards, it is crucial to identify which of your physical CDEs might require more extensive optimization of controls than others.
Requirement 10 – Track Access to System Components and CHD
Per Requirement 10 of the Payment Card Industry 4.0 framework, you must track all access to CDEs using tools such as audit logs. When implementing audit logs, you must ensure they:
- Can help detect suspicious activity that may result in security threats
- Are not easily modified or destroyed by perpetrators
- Can be reviewed to identify unusual behavior or activity
It is also critical to retain audit log history for future analysis and ensure all time synchronization systems use consistent time settings across systems. Audit logs will also help identify issues in critical security control systems and enable prompt remediation of any detected vulnerabilities.
Requirement 11 – Implement System and Network Testing
Regular testing of systems and networks is also fundamental to securing CDEs and mitigating data breaches. Without a robust system for testing systems and networks for vulnerabilities, your CDE will be prone to unexpected security threats.
Per Requirement 11 of the PCI DSS 4.0, system and network testing should involve:
- Monitoring wireless access points to identify unauthorized access points
- Penetration testing systems to identify exploitable vulnerabilities
- Detecting and responding to network intrusions that could compromise CDE
- Monitoring unauthorized changes on payment channels such as web pages
Keeping your CHD safe depends on how frequently and effectively you test the systems and networks in contact with CDE.
Requirement 12 – Establish a PCI Security Policy
Developing a PCI security policy will help guide the implementation of controls that secure CDE from threat risks. When deploying your PCI DSS security policy, it is crucial that your policy is optimized to your organization’s specific data security needs.
PCI DSS v4 Requirement 12 mandates that an information security policy should:
- Define acceptable cases for the use of end-user technologies
- Identify and manage risks to CDE
- Manage compliance with the PCI DSS
- Document and validate the scope of PCI DSS
- Implement security awareness training
- Control risks related to insider and outsider threats
- Stipulate processes for managing security incidents
A well-documented PCI security policy will help keep your CHD safe in the short and long term and continuously optimize your security posture. This Requirement impacts all others, as most or all sub-requirements and controls need to be accounted for explicitly in your security policy.
Overall, the best way to review the scope of the Payment Card Industry 4.0 Requirements that apply to your organization’s security needs is in consultation with a PCI compliance advisor.
Achieve PCI DSS 4.0 Compliance Professionally
Compliance with the Payment Card Industry 4.0 Requirements is the first step in protecting any CHD you handle from being compromised by a cyberattack. With the help of a trusted PCI compliance advisor like RSI Security, you will optimize your security controls and attain greater confidence in your PCI data security posture. To learn more, contact RSI Security today!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.