Безпечна інтеграція в майбутнє


Безпечна інтеграція в майбутнє

Secured integration to the future

Secured integration to the future

New standard version - PCI DSS 4.0

Illustration

01.03.2023
The world is developing and changing at a rapid pace. The changes in IT technologies are remarkably rapid. This article will tell you what essential changes will happen to the PCI DSS standard shortly.
The PCI DSS standard is a set of requirements for ensuring the security of payment cardholder data stored, transmitted, and processed in organizations' information infrastructures.
The PCI DSS standard contains 12 requirements:1. Protection of the computer network.2. Changing the components of the information structure.3. Protection of cardholder data.4. Protection of transmitted cardholder data.5. Antivirus protection of information infrastructure.6. Development and support of information systems.7. Managing access to cardholder data.8. Authentication mechanisms.9. Physical protection of information infrastructure.10. Information security management.11. Event and action logging.12. Monitoring the security of information infrastructure.
PCI DSS 4.0 is a new version of the standard, which we will discuss in this article. The standard's structure remains the same, consisting of the 12 requirements we listed earlier.
The old version of PCI DSS 3.2.1, developed in 2018, is irrevocably becoming a thing of the past. Protection against modern cyber threats must be effective and meet real-time demands.
When will the new version of PCI DSS 4.0 come into force and become mandatory?
The requirements of PCI DSS 4.0 will become mandatory only after 31.03.2025, and until that date, the new requirements are only a recommendation.
The current version of the PCI DSS 3.2.1 standard will become obsolete in the second quarter (1 April) of 2024. Accordingly, if an organization undergoes a scheduled recertification by the end of the first quarter of 2024, it can still pass it according to the requirements of version 3.2.1.
What's new in PCI DSS v4.0?
For starters, each section has been updated with the requirement that all roles involved in ensuring that the condition is met within the organization must be documented and described.
What has changed in each of the twelve points?
1. Protection of the computer network. There are no specific changes to this section in the new PCI DSS v4.0 standard.
2. Configuration of information structure components. Like the first section, it also remains unchanged.
3. Protection of cardholder data. This section received the following new requirements:• the requirements for the hashes used were described separately (the same as before encryption),• it is now necessary to document the encryption architecture not only for service providers,• instead of masking in 64 format, masking in BIN4 format is now allowed.
4. Protection of transmitted cardholder data. The fourth section received two new requirements. It is necessary to introduce an inventory of all trusted keys and certificates to protect the card number during transmission. The requirements for certificates to protect the full card number when transmitted over public networks have also been added.
5. Antivirus protection of information infrastructure. This section has five new requirements. In the fifth section, the concept of targeted risk analysis, which is unique to the PCI DSS standard, first appears. Version 4.0 of the standard allows organizations to fill in the table themselves. Its template is provided in the new standard version, which analyses a particular risk and draws conclusions about its acceptance, compensation, avoidance, etc. Completing this table requires determining the periodicity and frequency of scanning systems with antivirus tools, as well as the frequency of checks of systems that are considered not to be exposed to virus threats. The fifth section specifies that the antivirus must now scan all removable media, and the organization must also protect itself from phishing.
6. Develop and maintain information systems. This section contains three new requirements. It is necessary to create and maintain a register of all software users and third-party software. Also, owners of payment system web pages must keep a list of all scripts on this page with the justification for the need for each of them. And now WAF is mandatory for use.
7. Controlling access to cardholder data. The seventh section received three new requirements. It is necessary to implement the verification of all accounts for the legitimacy of their existence and rights at least once every six months, and the requirements for technical and service charges have been separately highlighted.
8. Authentication mechanisms. Five new requirements have emerged in this section. Special attention is paid to multi-factor authentication. There are requirements for accounts that can be used for interactive login.
9. Physical protection of information infrastructure. Section nine has only one new requirement. Targeted risk analysis determines the need to check the POI device for counterfeiting. It also specifies the frequency of these checks.
10. Information security management. This section contains three new requirements. They include the mandatory use of automated log-checking mechanisms from 2025.
11. Recording of events and actions. Section 11 has five new requirements. It specifies the features and procedures for internal vulnerability scanning (only authorized users can perform) and adds that IDS/IPS systems must detect and eliminate hidden malware transmission channels. The concept of multi-tenant service providers is introduced: any data centers and cloud providers fall under this ruling. And all of them will have to undergo additional scrutiny under the A1 program.
12. Information infrastructure security control. This section has thirteen requirements. It is important to note that two of these requirements are mandatory as early as 2024. It is necessary to conduct the already-mentioned "targeted risk analysis" at least once a year. And the need to keep the documented description of the compliance area up to date and conduct an audit at least once a year or when the environment changes significantly. The rest of the new requirements document some aspects of an organization's compliance with the PCI DSS.
Compliance with PCI DSS 4.0 is critical to maintaining the trust of your customers. It also prevents the accidental loss or disclosure of sensitive credit card information and an endless stream of attacks from cybercriminals. Follow these steps, and your business will be ready to comply with the updated PCI DSS v4.0 standard. We have prepared some helpful links for you to get answers to these questions.
Link to the text of the PCI DSS v4.0 standard:https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
Link to a description of the changes in PCI DSS v4.0 compared to v3.2.1:https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r2.pdfOur specialists are ready to provide you with more detailed information.
We want to remind you that we have created a separate website dedicated to PCI DSS certification. We invite you to visit the site https://getpci.com/ for more information about the PCI DSS standard.


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124