In this blog, we provide a comprehensive overview of the updated Payment Card Industry Data Security Standard (PCI DSS) version 4.0. We delve into each of the 12 requirements designed to secure cardholder data and safeguard payment processing environments. Whether you're new to PCI DSS or looking to understand the changes in version 4.0, this blog will equip you with essential knowledge to ensure compliance and protect your business from data breaches and financial penalties.
Build and Maintain a Secure Network and Systems
Previously, acquiring financial records required a criminal to physically break into a business facility. Today, payment transactions are conducted via a diverse array of electronic devices, encompassing conventional payment terminals, mobile gadgets, and other web-connected computing systems. By employing network security controls, companies can effectively block cybercriminals from remotely accessing payment system networks and misappropriating payment account information.
PCI DSS Requirement 1: Install and maintain network security controls
Network security controls (NSCs) are essential policy enforcement points that typically manage network traffic between two or more logical or physical network segments (or subnets) based on pre-established policies or rules. These controls, which include firewalls and other network security technologies, help maintain the integrity and security of the network. While physical firewalls have traditionally provided this function, advancements in technology now allow for the use of virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking solutions to offer similar capabilities.
1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
1.2 Network security controls (NSCs) are configured and maintained.
1.3 Network access to and from the cardholder data environment is restricted.
1.4 Network connections between trusted and untrusted networks are controlled.
1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
PCI DSS Requirement 2: Apply secure configurations to all system components
Malicious actors, both from outside and within an organization, frequently exploit default passwords and other vendor default settings to compromise systems. These passwords and settings are widely known and can be easily discovered through public information sources.
Implementing secure configurations on system components minimizes the opportunities available for attackers to breach systems. Changing default passwords, eliminating unnecessary software, functions, and accounts, as well as disabling or removing unneeded services, contribute to a reduced potential attack surface.
2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
2.2 System components are configured and managed securely.
2.3 Wireless environments are configured and managed securely.
Protect Account Data
Payment account data encompasses all information related to a payment card, whether it is printed, processed, transmitted, or stored in any form. Account data includes both cardholder data and sensitive authentication data, and safeguarding this data is mandatory whenever it is stored, processed, or transmitted.
Organizations that accept payment cards are responsible for protecting account data and preventing its unauthorized use. This applies to data that is printed, stored locally, or transmitted over internal or public networks to remote servers or service providers.
PCI DSS Requirement 3: Protect stored account data
Storing payment account data should only be done if it is essential for business purposes. Sensitive authentication data must never be retained post-authorization. In case your organization keeps PAN data, it is vital to make it indecipherable. Moreover, if your company holds sensitive authentication data before authorization is finalized, this information must be safeguarded as well.
3.1 Processes and mechanisms for protecting stored account data are defined and understood.
3.2 Storage of account data is kept to a minimum.
3.3 Sensitive authentication data (SAD) is not stored after authorization.
3.4 Access to displays of full PAN and ability to copy cardholder data are restricted.
3.5 Primary account number (PAN) is secured wherever it is stored.
3.6 Cryptographic keys used to protect stored account data are secured.
3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
Account data and storage requirements:
Account Data | Data Elements | Storage Restrictions | Required to Render Stored Data Unreadable | |
Cardholder Data | Primary Account Number | Storage is kept to a minimum as defined in Requirement 3.2 | Yes, as defined in Requirement 3.5 | |
Card Holder Name | Storage is kept to a minimum as defined in Requirement 3.2 | No | ||
Service Code | ||||
Expiration Date | ||||
Sensitive Authentication Data | Full Track Data | Cannot be stored after authorization as defined in Requirement 3.3.13 | Yes, data stored until authorization is complete must be protected with strong cryptography as defined in Requirement 3.3.2 | |
Card Verification Code | ||||
PIN/PIN Block |
PCI DSS Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
In order to safeguard against potential breaches, primary account numbers (PANs) must be encrypted when transmitted over networks that are susceptible to unauthorized access, such as unsecured and public networks. Malicious actors continue to target improperly configured wireless networks and outdated encryption and authentication protocols to exploit these weaknesses and gain privileged access to cardholder data environments (CDE). PAN transmissions can be secured by encrypting the data prior to transmission, encrypting the session during which the data is transmitted, or employing both methods.
4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
4.2 PAN is protected with strong cryptography during transmission.
Maintain a Vulnerability Management Program
Vulnerability management entails the systematic and ongoing process of identifying and addressing weaknesses within an organization's payment card ecosystem. This involves tackling threats posed by malicious software, regularly identifying and fixing vulnerabilities, and guaranteeing that software is developed securely, free from known coding vulnerabilities.
PCI DSS Requirement 5: Protect all systems and networks from malicious software
Malware is software or firmware designed to infiltrate or damage a computer system without the owner's consent, intending to compromise the confidentiality, integrity, or availability of the owner's data, applications, or operating system. Examples include viruses, worms, Trojans, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links. Malware can infiltrate the network through various business-approved activities, such as employee email (e.g., through phishing), internet usage, mobile computers, and storage devices, leading to the exploitation of system vulnerabilities.
5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
5.2 Malicious software (malware) is prevented, or detected and addressed.
5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.
5.4 Anti-phishing mechanisms protect users against phishing attacks.
PCI DSS Requirement 6: Develop and maintain secure systems and software
Security vulnerabilities in systems and applications can enable criminals to access payment data. Many of these vulnerabilities can be resolved by installing vendor-supplied security patches, which quickly fix specific programming code issues. All system components must have the latest critical security patches installed to prevent exploitation. Entities must also apply patches to less critical systems within an appropriate timeframe, based on a formal risk analysis. Applications should be developed following secure development and coding practices, and any changes to systems within the cardholder data environment must adhere to change control procedures.
6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
6.2 Bespoke and custom software are developed securely.
6.3 Security vulnerabilities are identified and addressed.
6.4 Public-facing web applications are protected against attacks.
6.5 Changes to all system components are managed securely.
Implement Strong Access Control Measures
Access to payment account data should be granted solely based on a legitimate business need. Logical access controls are technological measures employed to allow or restrict access to data on computer systems. Physical access controls involve utilizing locks or other tangible methods to limit access to computer media, paper-based records, and computer systems.
PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know
Ineffective access control rules and definitions can lead to unauthorized individuals gaining access to critical data or systems. To guarantee that critical data is accessible only to authorized personnel, systems and processes must be implemented to restrict access based on the need to know and in alignment with job responsibilities. "Need to know" pertains to granting access exclusively to the minimal amount of data required for task completion. "Least privileges" denotes assigning only the minimum level of privileges necessary to carry out a job.
7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
7.2 Access to system components and data is appropriately defined and assigned.
7.3 Access to system components and data is managed via an access control system(s).
PCI DSS Requirement 8: Identify users and authenticate access to system components
Allocating a unique identification (ID) to each individual with access guarantees that actions performed on critical data and systems can be attributed to known and authorized users. Unless specified otherwise in the requirement, these stipulations apply to all accounts, encompassing point-of-sale accounts, those with administrative capabilities, and any account utilized to view or access payment account data or systems containing such data. These requirements, however, do not pertain to accounts used by consumers (cardholders).
8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
8.3 Strong authentication for users and administrators is established and managed.
8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE.
8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.
8.6 Use of application and system accounts and associated authentication factors is strictly managed.
PCI DSS Requirement 9: Restrict physical access to cardholder data
Physical access to cardholder data or systems that store, process, or transmit such data should be limited to prevent unauthorized individuals from accessing or removing systems or hardcopies containing this information.
9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
9.2 Physical access controls manage entry into facilities and systems containing cardholder data.
9.3 Physical access for personnel and visitors is authorized and managed.
9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
Regularly Monitor and Test Networks
Physical, virtual, and wireless networks serve as the backbone connecting all endpoints and servers within the payment infrastructure. Network vulnerabilities create opportunities for criminals to gain unauthorized access to payment applications and payment account data. To mitigate these risks, entities must consistently monitor and assess their networks, addressing any unexpected access or activities, security system failures, and vulnerabilities in a timely manner.
PCI DSS Requirement 10: Log and monitor all access to system components and cardholder data
Logging mechanisms and the capacity to monitor user activities are essential for detecting anomalies, identifying suspicious behavior, and facilitating effective forensic analysis. Maintaining logs across all environments enables comprehensive tracking and evaluation in the event of an issue. Pinpointing the cause of a security breach becomes significantly more challenging, if not impossible, without proper system activity logs in place.
10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3 Audit logs are protected from destruction and unauthorized modifications.
10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
10.5 Audit log history is retained and available for analysis.
10.6 Time-synchronization mechanisms support consistent time settings across all systems.
10.7 Failures of critical security control systems are detected, reported, and responded to promptly.
PCI DSS Requirement 11: Test security of systems and networks regularly
Vulnerabilities are constantly being identified by both malicious individuals and security researchers, as well as being introduced by new software. System components, processes, and custom software should undergo regular testing to ensure that security controls remain effective in an ever-evolving environment.
11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
11.5 Network intrusions and unexpected file changes are detected and responded to.
11.6 Unauthorized changes on payment pages are detected and responded to.
Maintain an Information Security Policy
A strong security policy sets the tone for security affecting an entity’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of payment account data and their responsibilities for protecting it.
PCI DSS Requirement 12: Support information security with organizational policies and programs
12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
12.2 Acceptable use policies for end-user technologies are defined and implemented.
12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
12.4 PCI DSS compliance is managed.
12.5 PCI DSS scope is documented and validated.
12.6 Security awareness education is an ongoing activity.
12.7 Personnel are screened to reduce risks from insider threats.
12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.