The Payment Card Industry Data Security Standard (PCI DSS) 4.0 represents the latest evolution of the PCI DSS framework, designed to enhance the security of payment card data and adapt to the changing threat landscape. Released in March 2022, PCI DSS 4.0 introduces updates and new requirements to address emerging security challenges and improve overall data protection practices.
Appendix A3 of PCI DSS v4.0 provides additional validation requirements for designated entities with complex environments, including supplementary controls and documentation to ensure comprehensive compliance and data protection tailored to specific organizational needs.
Responsibility for protecting account data and managing PCI DSS compliance must be established and assigned.
A formal PCI DSS compliance program must be in place to manage and ensure ongoing compliance.
Roles and responsibilities for PCI DSS compliance must be specifically defined and formally assigned.
Personnel with PCI DSS compliance responsibilities must receive appropriate PCI DSS and/or information security training.
Subcontrol A3.1.5 requires that organizations document and validate the scope of their PCI DSS environment. This involves clearly identifying and documenting all system components, processes, and people involved in handling cardholder data. The validation process ensures that all relevant elements within the defined scope are accurately included in the PCI DSS assessment, thereby ensuring comprehensive coverage and protection.
PCI DSS scope must be validated frequently to ensure it accurately reflects the organization's environment.
The impact of changes to systems or networks on PCI DSS scope must be determined.
A methodology must be implemented to promptly identify attack patterns.
PCI DSS requirements must be implemented on new or changed systems and networks.
A formal internal review must be conducted to assess the impact on PCI DSS scope and control applicability.
PCI DSS scope must be confirmed when segmentation is used to ensure proper control boundaries.
A methodology for discovering data must be implemented to identify sensitive information within the organization.
Methods used for data discovery must be confirmed to ensure they are effective and accurate.
Response procedures must be implemented to address the detection of cleartext PAN outside the Cardholder Data Environment (CDE).
Mechanisms must be implemented to detect and prevent cleartext PAN from leaving the Cardholder Data Environment (CDE).
Response procedures must be implemented to address attempts to remove cleartext PAN from the Cardholder Data Environment (CDE).
Subcontrol A3.2.6.1 mandates that organizations implement and maintain processes to detect, alert, and respond to failures in critical security control systems. This ensures that any issues or malfunctions in security controls are identified promptly, with appropriate alerts generated to notify relevant personnel. Additionally, processes must be in place to address and remediate these failures to maintain the integrity and effectiveness of the security controls.
Processes must be in place to respond to failures in security control systems.
Hardware and software technologies must be reviewed periodically to ensure their effectiveness.
Regular reviews must be performed to ensure Business-As-Usual (BAU) activities are being followed.
User accounts and access privileges to in-scope system components must be reviewed regularly.
Appendix A2 of PCI DSS v4.0 outlines additional requirements for entities using SSL or early TLS in card-present POS environments, including transitioning to stronger protocols and ensuring secure configurations to protect cardholder data during transactions.
POS Point of Interaction (POI) terminals at the merchant or payment acceptance location that use SSL or early TLS must comply with PCI DSS requirements.
Service providers with existing connections to POS POI terminals using SSL or early TLS must ensure compliance with PCI DSS.
Service providers must offer secure services that comply with PCI DSS requirements for SSL and early TLS usage.
PCI DSS v4.0 Requirement 1 mandates organizations to implement and maintain network security controls, such as firewalls and routers, to protect cardholder data by controlling inbound and outbound network traffic, ensuring secure configurations, and minimizing exposure to potential threats.
The subcontrol 1.1.1 under PCI DSS v4.0 Requirement 1 focuses on ensuring that security policies and operational procedures governing the management of network security controls are documented, regularly reviewed, and updated to reflect changes in the network environment. This ensures that all relevant personnel are informed about and adhere to these policies and procedures to maintain a robust security posture.
Subcontrol 1.5.1 requires organizations to implement security controls on computing devices to protect them from threats and vulnerabilities. This involves ensuring that appropriate security measures are in place to safeguard computing devices, such as servers, workstations, and other endpoints, which are critical to the security of the Cardholder Data Environment (CDE).
Subcontrol 1.4.5 requires organizations to limit the disclosure of internal IP addresses and routing information. This measure aims to prevent unauthorized parties from gaining insight into the internal network structure, which could be exploited to facilitate attacks or unauthorized access.
Subcontrol 1.4.4 requires organizations to ensure that cardholder data is not accessible from untrusted networks. This means implementing controls to prevent unauthorized access to sensitive payment information from external or less secure networks, thereby protecting the confidentiality and integrity of cardholder data.
Subcontrol 1.4.3 requires organizations to implement anti-spoofing measures to prevent attackers from falsifying the origin of network traffic. Anti-spoofing measures are designed to detect and mitigate attempts to impersonate legitimate network addresses or systems, thereby enhancing the security of the network and protecting sensitive information.
Subcontrol 1.4.2 requires organizations to evaluate and restrict inbound traffic from untrusted networks to trusted networks. This involves assessing the sources and nature of inbound traffic from external or less secure networks and implementing controls to ensure that only authorized and necessary traffic is allowed to enter trusted networks, thereby protecting sensitive information and maintaining network security.
Subcontrol 1.4.1 requires organizations to implement network security controls (NSCs) between trusted and untrusted networks. This ensures that there is a secure boundary separating internal trusted networks, such as those housing sensitive payment card data, from external or less secure networks, such as the internet. Properly implemented NSCs protect against unauthorized access and potential threats originating from untrusted sources.
Subcontrol 1.1.2 under PCI DSS v4.0 Requirement 1 mandates that organizations must document and assign roles and responsibilities related to the installation, maintenance, and management of network security controls. This ensures that specific tasks are clearly defined and allocated to individuals or teams, promoting accountability and effective management of network security measures.
Subcontrol 1.2.1 under PCI DSS v4.0 Requirement 1 mandates that organizations must implement a standardized configuration for network security controls. This includes establishing and maintaining consistent security configurations for network devices, such as firewalls, routers, and switches, to ensure a robust and uniform security posture across the network.
Subcontrol 1.2.2 requires organizations to implement a formal process for approving and managing changes to network security control configurations. This ensures that any modifications to network security settings are reviewed, authorized, and documented to prevent unauthorized changes and maintain the integrity of network security measures.
Subcontrol 1.2.3 requires organizations to maintain accurate and up-to-date network diagrams that clearly depict the network infrastructure and security controls. These diagrams are essential for understanding the network's layout, the placement of security controls, and the flow of data across the network.
Subcontrol 1.2.4 requires organizations to maintain accurate and up-to-date data-flow diagrams that illustrate the flow of data through the network, including how data is transmitted, processed, and stored. These diagrams are essential for understanding and securing the flow of sensitive information, including payment card data.
Subcontrol 1.2.5 requires organizations to implement a formal process for approving and managing the services, protocols, and ports that are allowed on their network. This ensures that only necessary and secure services, protocols, and ports are enabled, reducing the potential attack surface and minimizing security risks.
Subcontrol 1.2.6 requires organizations to implement security measures for managing services, protocols, and ports to ensure they are securely configured and appropriately protected. This involves setting security configurations and restrictions to minimize potential vulnerabilities associated with services, protocols, and ports used within the network.
Subcontrol 1.2.7 requires organizations to perform periodic reviews and examinations of the configurations of network security controls (NSCs) to ensure that they remain secure and effective. This involves regularly assessing and validating the configuration settings of network security devices to confirm they adhere to security policies and best practices.
Subcontrol 1.2.8 requires organizations to ensure the security and consistency of configuration files for network security controls (NSCs). This involves implementing measures to protect configuration files from unauthorized access and modification while ensuring that configurations are consistently applied across all network security devices.
Subcontrol 1.3.1 requires organizations to evaluate and restrict inbound traffic to the Cardholder Data Environment (CDE). This involves assessing the sources of inbound traffic and implementing controls to ensure that only authorized and necessary traffic is allowed to enter the CDE, thus protecting sensitive payment card data from unauthorized access and potential threats.
Subcontrol 1.3.2 requires organizations to evaluate and restrict outbound traffic from the Cardholder Data Environment (CDE). This involves assessing the destinations of outbound traffic and implementing controls to ensure that only authorized and necessary outbound traffic is allowed, thus preventing unauthorized data exfiltration and protecting sensitive payment information.
Subcontrol 1.3.3 requires organizations to install network security controls (NSCs) between wireless networks and the Cardholder Data Environment (CDE). This ensures that wireless networks are properly segregated from the CDE, preventing unauthorized access and protecting sensitive payment information from potential threats originating from wireless connections.
PCI DSS v4.0 Requirement 2 requires organizations to establish and maintain secure configurations for all system components, ensuring they are hardened against vulnerabilities by disabling unnecessary functions, services, and protocols, and regularly updating software to protect cardholder data.
Subcontrol 2.3.2 requires organizations to change wireless encryption keys whenever there is a suspected or confirmed compromise, when employees with knowledge of the keys leave the organization, or periodically as part of a regular security practice. This ensures that wireless communications remain secure by preventing unauthorized access that could result from outdated or compromised encryption keys.
Subcontrol 2.3.1 requires that wireless devices, when installed, have vendor-supplied defaults either changed or confirmed as secure. This includes changing default passwords, SSIDs, encryption settings, and other security-related configurations that are typically set by the manufacturer. The objective is to ensure that wireless devices do not retain default settings that could be exploited by attackers.
Subcontrol 2.2.7 requires organizations to encrypt all non-console administrative access to system components. This ensures that any administrative activities performed remotely (not physically at the console) are secured by encryption, protecting sensitive information such as usernames, passwords, and configuration data from interception and unauthorized access.
Subcontrol 2.2.6 mandates that organizations implement measures to prevent the misuse of system security parameters. This involves ensuring that security-related settings and configurations are managed in a way that minimizes the risk of misconfiguration, unauthorized changes, or exploitation. The goal is to maintain the integrity and security of system components by safeguarding critical security parameters.
Subcontrol 2.2.5 requires organizations to identify and examine services, protocols, and daemons that are considered insecure. This examination involves evaluating the security risks associated with these elements and determining whether they can be disabled or replaced with more secure alternatives. If disabling or replacing is not feasible, organizations must implement compensating controls to mitigate the risks.
Subcontrol 2.2.4 requires organizations to ensure that only the necessary services, protocols, daemons, and functions are enabled on system components. Any services or protocols that are not essential to the system’s function should be disabled or removed to reduce the attack surface and minimize the risk of security breaches.
Subcontrol 2.2.3 requires organizations to ensure that system components performing primary functions are secured to a level appropriate to the risk associated with those functions. This includes implementing security measures that protect these components from unauthorized access, vulnerabilities, and potential threats, thereby maintaining the integrity and availability of the systems that are critical to business operations.
Subcontrol 2.2.2 requires organizations to manage vendor default accounts by removing or disabling them. Vendor default accounts are pre-configured accounts created by hardware or software vendors that are often installed with default passwords and settings. These accounts can pose significant security risks if left active and are a common target for attackers seeking to exploit weak or known default credentials.
Subcontrol 2.2.1 requires organizations to develop and implement configuration standards for all system components. These standards define secure configuration settings and practices that must be applied to ensure that system components are protected against vulnerabilities and threats.
Subcontrol 2.1.2 requires organizations to document and assign roles and responsibilities for performing activities related to applying secure configurations to all system components. This includes clearly defining and documenting who is responsible for ensuring secure configurations, monitoring compliance, and managing changes across all system components.
Subcontrol 2.1.1 requires organizations to manage security policies and operational procedures related to applying secure configurations to all system components. This includes establishing, maintaining, and enforcing policies and procedures that ensure system components are securely configured to protect against vulnerabilities and threats.
PCI DSS v4.0 Requirement 3 mandates organizations to protect stored account data by implementing encryption, truncation, masking, and other secure storage techniques to prevent unauthorized access or disclosure of cardholder data.
Subcontrol 3.6.1.1 requires organizations to document their cryptographic architecture. This includes detailed documentation of how cryptographic keys are managed, used, and protected within the organization's IT environment. The documentation should cover key management processes, encryption methodologies, and the overall cryptographic framework to ensure transparency, compliance, and security.
Subcontrol 3.6.1 requires that organizations establish and maintain procedures to protect cryptographic keys used for encrypting cardholder data. This includes ensuring the secure management, handling, and storage of cryptographic keys to prevent unauthorized access or compromise.
Subcontrol 3.5.1 requires that the Primary Account Number (PAN) stored within the environment be rendered unreadable using cryptographic measures. This ensures that PANs are protected from unauthorized access by rendering the stored data unreadable without the appropriate decryption keys or processes.
Subcontrol 3.4.2 requires that measures be in place to prevent the relocation of Primary Account Numbers (PANs) to unauthorized storage devices. This includes ensuring that PANs are not transferred or stored on devices or systems that are not specifically approved for storing sensitive authentication data. Implementing these measures helps to prevent unauthorized access and ensure that PANs are only stored in secure and compliant environments.
Subcontrol 3.4.1 requires that the Primary Account Number (PAN) be masked when displayed, such that only a limited number of digits are visible (e.g., the first six and last four digits). Additionally, it mandates that access to the full PAN be restricted to authorized personnel only. This control aims to minimize the exposure of sensitive cardholder data and limit the risk of unauthorized access and data breaches.
Subcontrol 3.3.3 mandates the implementation of security procedures for the storage of sensitive authentication data (SAD). This includes creating and maintaining security procedures that specifically address how SAD is stored, protected, and managed to ensure it is not exposed to unauthorized access or misuse. The procedures must be comprehensive and cover aspects such as access controls, encryption, and secure data handling practices.
Subcontrol 3.3.2 requires that sensitive authentication data (SAD) be protected through encryption using strong cryptographic methods. This control mandates that any stored SAD, which includes card verification codes (CVCs), PINs, and other sensitive authentication information, must be encrypted to ensure its confidentiality and integrity. The encryption must be implemented using cryptographic algorithms and key management practices that meet current industry standards.
Subcontrol 3.3.1.3 requires that personal identification numbers (PINs) and PIN blocks must not be retained after the authorization process is complete. PINs and PIN blocks, which are used to authenticate cardholder transactions, contain highly sensitive data. Therefore, they must be immediately and securely deleted or rendered unreadable after the authorization process to protect against unauthorized access and potential fraud.
Subcontrol 3.3.1.2 requires that card verification codes (CVCs), card validation codes (CAVCs), or any other forms of card verification data must not be retained after the authorization process is completed. This data, which includes CVV2/CVC2 values found on the card, is used to verify the cardholder's identity during a transaction but must be immediately and securely deleted or rendered unreadable once the authorization is obtained.
Subcontrol 3.3.1.1 mandates that organizations must not retain the full contents of any magnetic stripe (track) data after the authorization process is completed. This requirement specifically targets the full magnetic stripe data read from the card during a transaction, which includes information such as the cardholder's name, account number, and other sensitive details. Once authorization is obtained, this data must be immediately and securely deleted to prevent unauthorized access and misuse.
Subcontrol 3.3.1 mandates that sensitive authentication data (SAD), including card verification codes (CVCs), card validation codes (CAVCs), and PINs, must not be stored after authorization. After a transaction has been authorized, this data must be immediately and securely deleted or rendered unreadable. The purpose of this requirement is to minimize the risk of unauthorized access and fraud by ensuring that sensitive authentication data is not retained beyond its necessary use.
Subcontrol 3.2.1 requires organizations to implement comprehensive data retention and disposal policies, procedures, and processes to ensure that stored account data is only retained for as long as necessary and securely disposed of when no longer needed. This control aims to minimize the risk of unauthorized access to sensitive data by reducing the amount of stored data and ensuring that it is securely handled throughout its lifecycle.
Subcontrol 3.1.2 requires organizations to document and assign clear roles and responsibilities for all activities related to the protection of stored account data. This involves identifying the personnel responsible for specific tasks, ensuring they have the necessary skills and training, and formally documenting these assignments. The goal is to establish accountability and clarity in the management of stored account data, reducing the risk of data breaches and non-compliance.
Subcontrol 3.1.1 focuses on the development, implementation, and management of security policies and operational procedures that address the protection of stored account data. This includes ensuring that policies and procedures are clearly defined, documented, communicated to relevant personnel, and consistently followed. The goal is to establish a robust framework for protecting stored account data from unauthorized access, disclosure, and misuse.
Subcontrol 3.7.4 requires that organizations have procedures in place for managing changes to cryptographic keys, including key rotation, re-keying, and updates. This ensures that cryptographic keys are kept secure and effective over time, mitigating the risk of key compromise.
Subcontrol 3.7.5 requires organizations to have procedures in place for the retirement, replacement, and destruction of cryptographic keys. This ensures that outdated or compromised keys are securely managed and removed to prevent unauthorized access to sensitive data.
Subcontrol 3.7.6 requires that cryptographic key-management operations, such as key generation, storage, and distribution, are not performed in cleartext. This means that all key-management operations must be conducted using secure methods to prevent unauthorized access to key material.
Subcontrol 3.7.7 mandates that organizations implement measures to prevent unauthorized substitution of cryptographic keys. This ensures that cryptographic keys used for encrypting and decrypting sensitive data are not replaced or altered by unauthorized individuals, thereby protecting the integrity of encrypted data.
Subcontrol 3.7.8 requires that individuals designated as custodians of cryptographic keys formally acknowledge their responsibilities. This formal acknowledgment ensures that key custodians understand their roles, the importance of safeguarding cryptographic keys, and the associated security and compliance requirements.
Subcontrol 3.7.9 provides guidance on the secure transmission, storage, and updating of cryptographic keys. This guidance ensures that cryptographic keys used to protect stored account data are handled in a manner that maintains their security and integrity throughout their lifecycle.
Subcontrol 3.5.1.2 requires that encryption be applied at both the disk level and partition level to protect stored account data. This ensures that data is encrypted as it resides on physical disks or partitions, making it unreadable to unauthorized users who may gain access to the storage media. Disk-level and partition-level encryption helps safeguard cardholder data by ensuring its confidentiality even if physical devices are compromised.
Subcontrol 3.5.1.3 requires the effective management of disk-level and partition-level encryption to ensure that encryption mechanisms are properly configured, maintained, and monitored. This includes managing the encryption solutions, ensuring compliance with encryption policies, and handling encryption key management to protect stored account data effectively.
Subcontrol 3.5.1.1 focuses on the use of keyed cryptographic hashes to secure stored cardholder data. Specifically, it requires that processes and procedures for using keyed cryptographic hashes are in place to ensure that such hashes are used appropriately to protect stored account data. Keyed cryptographic hashes, such as HMAC (Hash-based Message Authentication Code), are used to verify the integrity and authenticity of data by applying a secret key to the hashing process.
Subcontrol 3.7.2 mandates that cryptographic keys must be distributed securely to prevent unauthorized access during the distribution process. This involves using secure methods and protocols to ensure that keys are protected from interception or tampering while being transmitted from one location to another.
Subcontrol 3.6.1.2 mandates that cryptographic keys used for encrypting cardholder data must be stored securely to prevent unauthorized access and ensure their protection throughout their lifecycle. Secure storage involves using robust mechanisms and controls to protect keys from exposure, tampering, or theft.
Subcontrol 3.7.3 requires that cryptographic keys be stored securely to protect them from unauthorized access and tampering. Secure storage practices ensure that keys are kept in a protected environment where they are safeguarded against physical and logical threats.
Subcontrol 3.6.1.3 mandates that access to cleartext cryptographic key components (keys that are not encrypted or obscured) must be strictly restricted. This restriction ensures that cleartext key components are protected from unauthorized access, thereby safeguarding the encryption keys and maintaining the overall security of cardholder data.
Subcontrol 3.6.1.4 requires organizations to establish and maintain secure locations for storing cryptographic keys. These storage locations must be protected against unauthorized access and physical or logical attacks to ensure the integrity and confidentiality of the keys.
Subcontrol 3.7.1 requires that cryptographic keys used for protecting cardholder data are generated using strong cryptographic algorithms and methods. This ensures that the keys are robust and resistant to attacks, thereby enhancing the security of encrypted data.
PCI DSS v4.0 Requirement 4 requires organizations to protect cardholder data during transmission over open, public networks by using strong cryptography and security protocols, such as TLS, to prevent interception, tampering, or unauthorized access.
Subcontrol 4.2.1.1 addresses the maintenance of trusted keys and certificates used for protecting cardholder data during transmission over open, public networks. This involves ensuring that cryptographic keys and certificates are properly managed, including their issuance, renewal, and revocation, to maintain the security and integrity of encrypted communications.
Ensure that strong cryptography is used to protect cardholder data transmitted over wireless networks.
Ensure that PAN (Primary Account Number) is protected during transmission through messaging technologies using strong cryptographic methods.
Subcontrol 4.2.1 focuses on the implementation of strong cryptographic methods and security protocols to protect cardholder data during transmission over open, public networks. This subcontrol mandates the use of cryptographic techniques and protocols that are robust and compliant with current industry standards to ensure the confidentiality and integrity of data in transit.
Subcontrol 4.1.2 focuses on documenting and assigning specific roles and responsibilities related to the protection of cardholder data during transmission over open, public networks. This subcontrol ensures that roles are clearly defined and documented, and that personnel are aware of their responsibilities in maintaining the security of data transmission.
Subcontrol 4.1.1 involves the management of security policies and operational procedures specific to protecting cardholder data during transmission over open, public networks. This includes ensuring that appropriate policies and procedures are in place and are actively managed to enforce the use of strong cryptography to safeguard cardholder data.
PCI DSS v4.0 Requirement 5 requires organizations to protect all systems and networks from malicious software by implementing anti-virus, anti-malware, and other threat detection tools, regularly updating them, and conducting periodic scans to detect and prevent malware infections.
Implement measures to protect against phishing attacks targeting systems and users.
Deploy anti-malware solutions for removable electronic media to prevent malware infections.
Enable and retain audit logs for anti-malware solutions to track and review malware-related activities.
Manage changes to anti-malware mechanisms and their configurations to ensure continued effectiveness.
Conduct evaluations of system components as defined in the organization’s targeted risk analysis.
Ensure anti-malware solutions are kept current through automatic updates.
Perform periodic scans or behavioral analysis to detect malware and malicious activity.
Determine the optimal frequency for periodic scans based on your own risk assessment and security needs.
Develop, document, and manage security policies and operational procedures to protect systems and networks from malicious software.
Document and assign roles and responsibilities for managing and executing activities related to protecting systems and networks from malicious software.
Deploy anti-malware solutions on all system components to protect against malicious software.
Ensure protection against all known types and forms of malware, including viruses, worms, and ransomware.
Periodically evaluate system components for effectiveness in malware protection.
PCI DSS v4.0 Requirement 6 mandates organizations to develop and maintain secure systems and software by implementing secure coding practices, applying patches promptly, and regularly testing for vulnerabilities to protect against security threats.
Ensure secure development practices for bespoke and custom software.
Train software development personnel on secure coding and development practices.
Implement a review process for bespoke and custom software to ensure security.
Establish and follow a standard procedure for manual code review.
Apply software engineering techniques to prevent or mitigate common software attacks and vulnerabilities.
Identify and manage security vulnerabilities in systems and software.
Maintain an inventory of bespoke and custom software and third-party components used.
Install applicable security patches and updates in a timely manner.
Protect applications against known attacks by implementing appropriate security measures.
Deploy automated solutions for continuous detection and prevention of web-based attacks.
Manage payment page scripts to ensure security and integrity in the consumer’s browser.
Ensure changes to system components in the production environment follow established procedures.
Ensure all new or changed systems and networks comply with applicable PCI DSS requirements.
Maintain separation between pre-production and production environments.
Ensure separate roles and functions for production and pre-production environments.
Ensure that live PANs are not available in pre-production environments.
Remove test data and accounts from system components before production.
Develop, document, and manage security policies and operational procedures for secure system and software development.
Document and assign roles and responsibilities for secure systems and software development activities.
PCI DSS v4.0 Requirement 7 requires organizations to restrict access to system components and cardholder data based on business need-to-know, ensuring that only authorized personnel have access to sensitive information, minimizing the risk of unauthorized access.
Develop, document, and manage security policies and operational procedures for access control based on business need to know.
Document and assign roles and responsibilities for access control activities based on business need to know.
Define and implement an access control model based on business need to know.
Assign access to users and privileged users based on their roles and business need to know.
Ensure that required privileges are approved by authorized personnel before granting access.
Conduct periodic reviews of all user accounts and related access privileges, including those of third-party vendors.
Manage application and system accounts and their related access privileges based on business need to know.
Conduct periodic reviews of all access by application and system accounts and related access privileges.
Restrict all user access to query repositories containing stored cardholder data.
Use access control systems to restrict access based on the user’s need to know.
Configure access control systems to enforce permissions appropriately.
Subcontrol 7.3.3 requires organizations to configure their access control systems with a "deny all" by default policy. This means that access to systems and data is denied unless explicitly permitted by an access control rule. This configuration ensures that only authorized users with explicit permissions are granted access, thereby enhancing security and reducing the risk of unauthorized access.
PCI DSS v4.0 Requirement 8 mandates organizations to identify users and authenticate their access to system components by implementing strong authentication mechanisms, such as unique IDs, passwords, and multi-factor authentication, to ensure that only authorized users can access sensitive systems and data.
Develop, document, and manage security policies and procedures for authentication and user identification.
Document and assign roles and responsibilities for activities related to authentication and user identification.
Assign a unique ID to each user for access to system components and cardholder data.
Manage group, shared, or generic accounts and other shared authentication credentials.
Service providers must use unique authentication factors for each customer premises.
Manage the addition, deletion, and modification of user IDs, authentication factors, and other identifiers.
Ensure immediate revocation of access for terminated users.
Remove inactive user accounts within 90 days of inactivity.
Manage accounts used by third parties for remote access to system components.
Require user re-authentication to re-activate terminals or sessions.
Ensure user access to system components is authenticated via authentication factors.
Use strong cryptography to render all authentication factors unreadable.
Verify user identity before modifying any authentication factor.
Limit the number of invalid authentication attempts.
Set and reset passwords/passphrases according to specified requirements.
Enforce minimum complexity requirements for passwords/passphrases.
Prevent the reuse of previously used passwords/passphrases.
Document and communicate authentication policies and procedures.
Define requirements for passwords/passphrases used as the only authentication factor.
Provide guidance to customer users when passwords are the only authentication factor for accessing cardholder data.
Define requirements for passwords used as the only authentication factor for customer access to cardholder data.
Use authentication factors for user access.
Implement multi-factor authentication (MFA) for non-console access into the Cardholder Data Environment (CDE) for administrative personnel.
Implement MFA for all access into the Cardholder Data Environment (CDE).
This subcontrol mandates the implementation of multi-factor authentication (MFA) for any remote access to systems within the Cardholder Data Environment (CDE). It ensures that multiple forms of authentication are required before access is granted to sensitive systems from outside the network.
Subcontrol 8.5.1 requires that multi-factor authentication (MFA) systems are implemented and operational for systems accessing cardholder data, ensuring that all users are authenticated using multiple factors before accessing sensitive systems.
Addresses the management of system or application accounts used for interactive logins.
Requires strong passwords/passphrases for interactive login accounts.
Requires protection of passwords/passphrases from misuse.
PCI DSS v4.0 Requirement 9 requires organizations to restrict physical access to cardholder data by implementing physical security controls, such as secured facilities, access controls, and monitoring, to prevent unauthorized individuals from accessing sensitive data.
Requires maintenance of a visitor log for tracking visitor activity.
Requires physical security measures for all media containing cardholder data.
Requires secure storage of offline media backups.
Requires periodic review of the security of offline media backup locations.
Requires classification of media according to the sensitivity of the data it contains.
Requires security measures for media sent outside the facility.
Requires management approval for media moved outside the facility.
Requires maintenance of inventory logs for electronic media.
Requires periodic inventories of electronic media.
Requires destruction of hard-copy materials no longer needed.
Requires destruction of electronic media no longer needed.
Requires procedures to protect Point-of-Interaction (POI) devices from tampering and substitution.
Requires maintenance of an up-to-date list of POI devices.
Requires periodic inspection of POI device surfaces.
Requires inspection of POI devices at a frequency based on risk.
Requires training for personnel on types of attacks against POI devices.
Requires management of security policies and operational procedures related to physical access to cardholder data.
Requires documentation and assignment of roles and responsibilities for physical access control activities.
Requires controls to restrict physical access to systems within the Cardholder Data Environment (CDE).
Requires monitoring procedures for individual physical access to sensitive areas.
Requires controls to restrict use of publicly accessible network jacks.
Requires restriction of physical access to critical network components.
Requires restriction of access to consoles in sensitive areas.
Requires procedures for authorizing and managing physical access of personnel.
Requires controlled physical access to sensitive areas for personnel.
Requires procedures for authorizing and managing visitor access.
Requires the use of visitor badges or identification requirements and procedures.
PCI DSS v4.0 Requirement 10 requires organizations to log and monitor all access to system components and cardholder data, ensuring comprehensive audit trails and real-time monitoring to detect and respond to security incidents effectively.
Identification and management of exceptions and anomalies during log reviews
Retention of audit log history for a minimum of 12 months
Use of time-synchronization technology to synchronize system clocks
Systems configured to use the correct and consistent time
Protection of time synchronization settings and data to prevent tampering
Detection and management of failures in critical security control systems for service providers
Failures in critical security systems must be detected, alerted, and addressed promptly
Prompt response to failures in critical security control systems
Requires limiting read access to audit log files.
Requires protection of audit log files to prevent modifications.
Requires proper backup configurations for audit log files.
Requires file integrity monitoring or change-detection mechanisms.
Regular review of audit logs for security and compliance
Use of automated mechanisms for audit log reviews
Periodic review of logs from all system components not covered under other specific requirements
Frequency of periodic log reviews based on targeted risk analysis
Requires audit logs to capture all changes to audit log activity status.
Requires audit logs to capture all creation and deletion of system-level objects.
Requires audit logs to record details for each auditable event.
Requires management of security policies and procedures for logging and monitoring.
Requires documentation and assignment of roles and responsibilities for logging and monitoring activities.
Requires audit logs to be enabled and active for system components and cardholder data.
Requires audit logs to capture individual user access to cardholder data.
Requires audit logs to capture actions taken by individuals with administrative access.
Requires audit logs to capture all access to audit logs themselves.
Requires audit logs to capture all invalid logical access attempts.
Requires audit logs to capture all changes to identification and authentication credentials.
PCI DSS v4.0 Requirement 11 mandates organizations to regularly test the security of systems and networks through vulnerability scans, penetration testing, and other assessments to identify and address potential security weaknesses.
Documentation and assignment of roles and responsibilities for system and network security testing activities
Management of authorized and unauthorized wireless access points
Maintenance of an inventory of authorized wireless access points
Periodic internal vulnerability scans to identify security weaknesses
Management of identified vulnerabilities to reduce security risks
Use of authenticated scanning for internal vulnerability scans
Internal vulnerability scans performed after significant changes to systems or networks
Regular external vulnerability scans to identify potential external threats
External vulnerability scans performed after significant changes to systems or networks
Documentation and implementation of penetration testing methodologies
Internal penetration testing conducted according to defined methodology and standards
External penetration testing conducted according to defined methodology and standards
Mitigation of vulnerabilities and weaknesses identified during penetration testing
Penetration tests on segmentation controls ensure that segmentation is effective in isolating environments to protect cardholder data
Service providers must conduct penetration tests on their segmentation controls to verify their effectiveness in isolating customer data
Multi-tenant service providers must assist their customers in conducting external penetration testing to ensure the security of shared environments
Intrusion-detection and/or intrusion-prevention systems must be deployed to monitor and protect the network from unauthorized access
Systems for intrusion detection and prevention must be capable of detecting and preventing unauthorized access to the network
Change-detection mechanisms must be deployed to alert personnel of unauthorized modifications to critical system files and configurations
Mechanisms to detect changes and tampering with system configurations must be deployed to protect the integrity of critical systems
Management of security policies and operational procedures related to system and network testing
PCI DSS v4.0 Requirement 12 requires organizations to support information security by establishing, maintaining, and enforcing comprehensive security policies and programs that address all aspects of data protection and compliance.
An information security policy must be established, documented, and maintained to guide security practices within the organization
The information security policy must be reviewed at least annually to ensure it remains effective and relevant
Information security roles and responsibilities must be defined and assigned to ensure accountability and effective security management
Responsibility for overseeing information security must be assigned to a member of executive management to ensure accountability
Acceptable use policies for end-user technologies must be documented and implemented to ensure secure usage practices
Targeted risk analyses must be documented to identify and mitigate specific risks to the organization's security posture
The entity may use a customized approach to meet PCI DSS requirements, provided it demonstrates that the approach achieves the desired outcomes
Cryptographic cipher suites and protocols in use must be documented and reviewed to ensure they remain secure and effective
Hardware and software technologies in use must be regularly reviewed to ensure they remain secure and up-to-date
Executive management must establish responsibility for protecting cardholder data and maintaining PCI DSS compliance
Regular reviews must be conducted to ensure that personnel are performing their tasks in line with security policies and procedures
Reviews conducted in accordance with Requirement 12.4.2 must be documented to provide evidence of compliance
A current inventory of system components that are in scope for PCI DSS must be maintained to support security management
Documentation and validation of PCI DSS scope are required to ensure all relevant components are included in the assessment.
PCI DSS scope must be verified for accuracy to ensure that all applicable components are included.
PCI DSS scope must be confirmed after significant changes to organizational structure to ensure continued compliance.
A formal security awareness program must be implemented to educate personnel on security best practices.
The security awareness program must be reviewed periodically to ensure its effectiveness.
Personnel must receive security awareness training to understand their responsibilities in protecting the organization.
Security awareness training must include information on current threats and vulnerabilities.
Security awareness training must include guidance on the acceptable use of end-user technologies.
Personnel who will have access to the Cardholder Data Environment (CDE) must be screened prior to hire, within the constraints of local laws.
A list of all TPSPs with whom account data is shared must be maintained.
Written agreements with TPSPs must be maintained to define the security responsibilities of each party.
A formal process must be established and implemented for engaging TPSPs.
A program must be implemented to periodically monitor the PCI DSS compliance status of TPSPs.
The organization must maintain and review the PCI DSS requirements and related system components for which each TPSP is responsible.
TPSPs must formally acknowledge their security responsibilities to their customers.
TPSPs must provide necessary information to support customers’ PCI DSS compliance efforts.
A comprehensive incident response plan must be maintained to address security incidents.
The incident response plan must be periodically tested and reviewed to ensure its effectiveness.
Specific personnel must be designated and available to respond immediately to suspected or confirmed security incidents.
Personnel must be appropriately and periodically trained on their incident response responsibilities.
Incident response personnel must be trained at a frequency that addresses the organization's risk.
Monitoring and responding to alerts from security monitoring systems must be implemented.
The security incident response plan must be modified and evolved based on lessons learned and changes in the threat landscape.
Incident response procedures must be established to ensure a quick response, analysis, and resolution of security incidents.
Appendix A1 of PCI DSS v4.0 specifies additional requirements for multi-tenant service providers to ensure the secure management of shared environments, including tenant isolation, access control, monitoring, and incident response, to protect cardholder data across multiple customers.
Logical separation controls must be implemented to ensure segregation of different tenants' data and resources.
Controls must be implemented to ensure customers can only access their own account data and Cardholder Data Environment (CDE).
Controls must be implemented to ensure that customers can only access resources allocated specifically to them.
Logical separation controls must be periodically validated through penetration testing.
Each customer’s environment must have audit log capabilities to track and monitor access and activities.
Processes must be implemented to facilitate prompt forensic investigations in case of security incidents.
Processes must be implemented for reporting and addressing security incidents and vulnerabilities.