2021. What an interesting year. With the world turned upside down by a pandemic that seemingly had its sights set on...
A Beginner’s Guide to PCI DSS 4.0
A Look at the Requirements one-by-one
comforte
AdrianValid card data is highly sought after in the cybercrime underground. In fact, it’s helping to drive a global epidemic in payment fraud predicted to reach $40bn by 2026. In a bid to stem losses, the card industry created the Payment Card Industry Data Security Standard (PCI DSS) over two decades ago. No organisation that processes, transmits, or stores card data can afford to ignore it, yet compliance can be onerous.
To help newcomers, we’ve put together a short three-part series of blogs outlining the 12 key requirements of PCI DSS 4.0 and six control objectives, which went into effect earlier this year. Together, they provide a comprehensive list of detailed best practices for complying organisations to follow.
They are:
- Requirement 1: Install and Maintain Network Security Controls
- Requirement 2: Apply Secure Configurations to All System Components
- Requirement 3: Protect Stored Account Data
- Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Requirement 5: Protect All Systems and Networks from Malicious Software
- Requirement 6: Develop and Maintain Secure Systems and Software
- Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
- Requirement 8: Identify Users and Authenticate Access to System Components
- Requirement 9: Restrict Physical Access to Cardholder Data
- Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
- Requirement 11: Test the Security of systems and Networks Regularly
- Requirement 12: Support Information Security with Organisational Policies and Programs
Let’s look at the requirements under the first two control objectives: Build and Maintain a Secure Network and Systems and Protect Account Data.
Control Objective 1: Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain network security controls
Network security controls (NSCs) such as firewalls are a critical means of enforcing network policies controlling traffic flowing between different segments of an internal network and between corporate networks and the internet. They examine each packet entering and leaving a segment and decide whether it should be allowed to pass or blocked, thus helping to prevent threat actors from getting into highly sensitive areas and smuggling data out.
Requirement 2: Apply secure configurations to all system components
Default settings (or configurations) are commonly abused by threat actors to compromise systems. The most obvious example is default passwords, which can often be guessed or brute-forced with ease. Thus, applying secure configurations such as changing default credentials and even removing/disabling unnecessary software, services, and accounts will dramatically reduce the attack surface.
Control Objective 2: Protect Account Data
Requirement 3: Protect stored account data
This gets to the heart of PCI DSS: protecting the card data itself. It’s arguably the most important objective, as if a threat actor manages to bypass other security controls recommended in the standard, it renders the data effectively unusable. The standard cites protection methods, including encryption, truncation, masking and hashing, as critical to account data protection.
Payment account data should only be stored if it is an essential business requirement, and sensitive authentication data must never be retained post-authorisation. Other tactics suggested by PCI DSS to mitigate risk include truncating card numbers if the full number is not needed and ensuring sensitive data is not sent unencrypted over messaging technologies like email and IM.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
PCI DSS 4.0 is very clear that primary account numbers (PANs) must be encrypted during transmission over networks that could be easily accessed by malicious third parties—e.g. untrusted and public networks. The same is true of the transmission of cardholder data across internal networks. Organisations can either secure the data before transmission, encrypt the session during which the data is transmitted, or both. The PCI DSS claims that threat actors continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols to reach PANs.
How SecurDPS supports PCI DSS compliance
Fortunately, comforte’s SecurDPS platform offers a clear pathway to helping organisations meet several of the key requirements and control objectives in PCI DSS 4.0.
How? By offering:
- Automated and continuous data discovery and classification
- Multiple protection methods for pseudonymisation & anonymisation of data, including format-preserving encryption and tokenisation
- Seamless integration with third-party applications for rapid time-to-value
- Support for role-based access controls to bolster security
An independent analysis of the product by Coalfire attests to the fact that SecurDPS supports:
Requirement 2: Apply Secure Configurations to All System Components
2.2 System components are configured and managed securely.
Requirement 3: Protect Stored Account Data
3.4 Access to displays of full PAN and the ability to copy account data is restricted.
3.5 PAN is secured wherever it is stored.
3.6 Cryptographic keys used to protect stored account data are secured.
3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
With comforte’s SecurDPS, organisations can help to reduce their PCI DSS compliance scope, which in turn minimises the time, money and effort they must spend on compliance.
Data breaches reached a record high in the US last year, impacting over 350 million individuals. According to one estimate, financial services firms suffered the second-highest total of breaches in 2023: 744. It’s not hard to imagine why. In many cases, threat actors will have been focused on targeting banks and other providers for the wealth of sensitive financial information they hold, like card data. This is exactly why the Payment Card Industry Data Security Standard (PCI DSS) was devised 20 years ago.
It’s not just financial institutions that must comply. Any organisation that stores, transmits, or processes cardholder data must meet a strict set of 12 requirements (and sub-requirements), which are helpfully arranged under six control objectives, according to the latest version of the standard: PCI DSS 4.0.
To help organisations, we’ve put together a short three-part series of blogs outlining these requirements. Following on from this first instalment focussing on Requirements 1-4, the second piece outlines Requirements 5-9: while we highlight Requirements 10-12 in the final blog and show how comforte can help:
PCI DSS 4.0 was designed 20 years ago to help reduce the risk of major breaches of card data at financial services firms, retailers and others that store, process and transmit this information. As the emergence of AI tooling and a sophisticated cybercrime supply chain tilt the advantage in threat actors’ favour, the best practice security steps mandated by the standard are more relevant today than ever. Yet compliance can take significant time and effort.
Curious about the latest in PCI DSS v4.0?
Our latest document offers a quick, essential overview of key changes and insights and strategies for reducing PCI audit scope. It’s a must-read for anyone managing PCI compliance and looking to streamline their efforts. Don’t miss out—download now to stay informed!