NonStop Insider

job types


Site navigation


Recent articles


Editions


Subscribe


For monthly updates and news.
Subscribe here
NonStop Insider

A Beginner’s Guide to PCI DSS 4.0

A Look at the Requirements one-by-one

comforte

AdrianAdrian

Valid card data is highly sought after in the cybercrime underground. In fact, it’s helping to drive a global epidemic in payment fraud predicted to reach $40bn by 2026. In a bid to stem losses, the card industry created the Payment Card Industry Data Security Standard (PCI DSS) over two decades ago. No organisation that processes, transmits, or stores card data can afford to ignore it, yet compliance can be onerous.

To help newcomers, we’ve put together a short three-part series of blogs outlining the 12 key requirements of PCI DSS 4.0 and six control objectives, which went into effect earlier this year. Together, they provide a comprehensive list of detailed best practices for complying organisations to follow.

They are:

Let’s look at the requirements under the first two control objectives: Build and Maintain a Secure Network and Systems and Protect Account Data.

Control Objective 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain network security controls

Network security controls (NSCs) such as firewalls are a critical means of enforcing network policies controlling traffic flowing between different segments of an internal network and between corporate networks and the internet. They examine each packet entering and leaving a segment and decide whether it should be allowed to pass or blocked, thus helping to prevent threat actors from getting into highly sensitive areas and smuggling data out.

Requirement 2: Apply secure configurations to all system components

Default settings (or configurations) are commonly abused by threat actors to compromise systems. The most obvious example is default passwords, which can often be guessed or brute-forced with ease. Thus, applying secure configurations such as changing default credentials and even removing/disabling unnecessary software, services, and accounts will dramatically reduce the attack surface.

Control Objective 2: Protect Account Data

Requirement 3: Protect stored account data

This gets to the heart of PCI DSS: protecting the card data itself. It’s arguably the most important objective, as if a threat actor manages to bypass other security controls recommended in the standard, it renders the data effectively unusable. The standard cites protection methods, including encryption, truncation, masking and hashing, as critical to account data protection.

Payment account data should only be stored if it is an essential business requirement, and sensitive authentication data must never be retained post-authorisation. Other tactics suggested by PCI DSS to mitigate risk include truncating card numbers if the full number is not needed and ensuring sensitive data is not sent unencrypted over messaging technologies like email and IM.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

PCI DSS 4.0 is very clear that primary account numbers (PANs) must be encrypted during transmission over networks that could be easily accessed by malicious third parties—e.g. untrusted and public networks. The same is true of the transmission of cardholder data across internal networks. Organisations can either secure the data before transmission, encrypt the session during which the data is transmitted, or both. The PCI DSS claims that threat actors continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols to reach PANs.

How SecurDPS supports PCI DSS compliance 

Fortunately, comforte’s SecurDPS platform offers a clear pathway to helping organisations meet several of the key requirements and control objectives in PCI DSS 4.0.

How? By offering:

An independent analysis of the product by Coalfire  attests to the fact that SecurDPS supports:

Requirement 2: Apply Secure Configurations to All System Components

2.2 System components are configured and managed securely.

Requirement 3: Protect Stored Account Data

3.4 Access to displays of full PAN and the ability to copy account data is restricted.

3.5 PAN is secured wherever it is stored.

3.6 Cryptographic keys used to protect stored account data are secured.

3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

With comforte’s SecurDPS, organisations can help to reduce their PCI DSS compliance scope, which in turn minimises the time, money and effort they must spend on compliance.

Data breaches reached a record high in the US last year, impacting over 350 million individuals. According to one estimate, financial services firms suffered the second-highest total of breaches in 2023: 744. It’s not hard to imagine why. In many cases, threat actors will have been focused on targeting banks and other providers for the wealth of sensitive financial information they hold, like card data. This is exactly why the Payment Card Industry Data Security Standard (PCI DSS) was devised 20 years ago.

It’s not just financial institutions that must comply. Any organisation that stores, transmits, or processes cardholder data must meet a strict set of 12 requirements (and sub-requirements), which are helpfully arranged under six control objectives, according to the latest version of the standard: PCI DSS 4.0.

To help organisations, we’ve put together a short three-part series of blogs outlining these requirements. Following on from this first instalment focussing on Requirements 1-4, the second piece outlines Requirements 5-9: while we highlight Requirements 10-12 in the final blog and show how comforte can help:

PCI DSS 4.0 was designed 20 years ago to help reduce the risk of major breaches of card data at financial services firms, retailers and others that store, process and transmit this information. As the emergence of AI tooling and a sophisticated cybercrime supply chain tilt the advantage in threat actors’ favour, the best practice security steps mandated by the standard are more relevant today than ever. Yet compliance can take significant time and effort.

Curious about the latest in PCI DSS v4.0?

Our latest document offers a quick, essential overview of key changes and insights and strategies for reducing PCI audit scope. It’s a must-read for anyone managing PCI compliance and looking to streamline their efforts. Don’t miss out—download now to stay informed!

Download the Complete Guide