The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements that organizations handling credit and debit card information must follow. The PCI requirements apply to all aspects of card processing, including storage, transmission, and processing. Organizations must meet all 12 PCI requirements to be compliant.
The requirements are divided into six categories or control objectives. They are:
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
Failure to comply with PCI DSS can result in hefty fines and the loss of the privilege to process credit cards.
What is the goal of the new PCI requirements (PCI 4.0)?
The new version of the PCI requirements is based on the four aims established by the PCI Council:
Continue to meet the payments industry's security needs
Encourage security to be viewed as a continuous process
Add flexibility for various methodologies
Methods and methods for validation should be improved
These objectives derive from recognizing the growing threat of cyberattacks and the necessity to reduce risk when securing data in the payment environment.
The new version enables the inclusion of custom controls by holding onto the control object. It also strives to Improve the validation of security processes and procedures provided in audit reports like the RoC (Report of Compliance), the Self-Assessment Questionnaire, and the AoC summary (Assessment of Compliance).
Requirements 10, 11, and 12
Requirements 10 through 12 of An Appealing View for the C-Suite should arouse the curiosity of any C-Level executive. They are organized into two categories:
1. Networks should be monitored and tested regularly
Requirement 10: Log and monitor all system components and cardholder data access.
Requirement 11: Test the security of systems and networks regularly.
2. Maintain a Policy on Information Security
Requirement 12: Support Information Security with Organizational Policies and Programs.
Requirement 10 states that an organization must gather logs and do specific things with them. Another example of changing language is the phrase "audit trail," which has been changed to "audit log." The salient element of Requirement 10, notably section 1.4.1, is that card processors must employ automated processes to execute audit log checks.
According to the updated version, the goal is as follows:
"Due to the volume of log data created, manual log reviews are challenging to accomplish, even for one or two systems. However, log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions can aid by highlighting log events that need to be analyzed."
Setting up controls and testing them is the best way to validate their effectiveness. Requirement 11 focuses on this aspect. The new version is more complicated than the older one. For example, the requirement now calls for authenticated vulnerability scanning. It is no longer sufficient to hire an outside firm to do an external penetration test while denying them access.
The penetration testing requirement allows a company's business risk to determine remedial actions rather than the severity of findings. For instance, if there are various vulnerabilities, just because one is exploitable or has a higher vulnerability score doesn't mean it poses a higher risk. It is a welcome change as many companies fail to grasp the logic behind vulnerability scanning.
Requirement 12 calls for inter-departmental cooperation to ensure effective management. The requirement's name is straightforward: "Support information security with organizational policies and programs." The PCI DSS component of this is simple. It is suggested that to be secure, you must define people, processes, roles, and responsibilities within your business.
However, one notable change is the removal of Requirement 12.2 from PCI 3.2.1. That requirement emphasized the demand for an organizational risk assessment. It is no longer permissible in version 4.0. A corporation must carry out a specific risk analysis rather than a corporate risk assessment.
The PCI Data Security Standard (PCI DSS) is a global standard that establishes a foundation of technical and operational criteria for protecting account data. With version change, PCI requirements seek to enforce privacy and cybersecurity norms more stringently.