Professional Documents
Culture Documents
of Compliance
Navigating PCI DSS v4.0
PCI DSS v4.0, the latest iteration of the Payment Card Industry Data
Security Standard is designed to address the evolving challenges and
emerging threats in the payment card industry.
Maintain an
1 Protect
Information 6 2 Account
Security Policy Data
DSS
Regularly
5 3 Maintain a
Vulnerability
Monitor and
Test Networks 4 Management
Program
Implement Strong
Access Control
Measures
www.qrcsolutionz.com
PCI Data Security
Standard Requirements
www.qrcsolutionz.com
IMPLEMENTATION TIMELINE
FOR v4.0
Source : Reference Taken from PCI DSS 4.0 Standard published by PCI SSC.
Organizations are granted the period until March 31, 2024, for assessment
under either PCI DSS v3.2.1 or v4.0. Post this date, on March 31, 2024, v3.2.1
will be phased out, mandating all organizations to undergo assessment
following PCI DSS v4.0.
www.qrcsolutionz.com
REVISIONS IN THE PCI DSS 4.0 REQUIREMENTS
Do not use vendor-supplied defaults for system Apply secure configurations to all system
2. 2.
passwords and other security parameters components
Protect all systems against malware and regularly Protect all systems and networks from
5. 5.
update anti-virus software or programs malicious software
Develop and maintain secure systems and Develop and maintain secure systems and
6. 6.
applications softwares
Restrict access to cardholder data by business Restrict access to system components and
7. 7.
need to know cardholder data by business need to know
Identify and authenticate access to system Identify users and authenticate access to
8. 8.
components system components
9. Restrict physical access to card holder data 9. Restrict physical access to cardholder data
Track and monitor all access to network resources Log and monitor all access to system
10. 10.
and cardholder data components and cardholder data
www.qrcsolutionz.com
NEW REQUIREMENTS IN PCI DSS v4.0
The PCI DSS v4.0 comprises of a substantial number of new requirements
— 64 in total. New requirements will taper in overtimewith only 13 of those
64 being effective immediately when using 4.0.
Applicable to
64
All Entities Service Providers Only
53 11
The additional 51 remain “best practices” until March 2025, when they too
will be required to complete a PCI DSS assessment after v3.2.1 is retired.
www.qrcsolutionz.com
Key Compliance Processes You Need to
Implement Before March 31, 2024
www.qrcsolutionz.com
# Targeted Risk Assessments (TRAs) :
Practice of conducting Targeted Risk Assessments (TRAs) remains
essential until March 2025. Nevertheless, the sooner you engage your Risk
Assessment team in this process, the smoother the transition will be.
# Customized Approach :
If you're considering employing customized approach to fulfill specific PCI
DSS Requirements, I strongly advise exercising caution. The new tailored
approach introduced in PCI DSS version 4.0 might not be the enthusiastic
solution you've been anticipating.
www.qrcsolutionz.com
Customized Approach won't reduce compliance expenses, and it
distinctly differs from a compensating control.
PCI SSC brought forth the Items Noted For Improvement (INFI) worksheet
requirement to be included alongside your annual Report on Compliance.
With regard to INFI, it's preferable for you to pinpoint the security controls
and processes that necessitate enhancement or rectification, and take
appropriate action. This demonstrates to both your Qualified Security
Assessor (QSA) and Acquirer that you treat your PCI Compliance duties
with utmost seriousness.
www.qrcsolutionz.com
CHECKLIST - CONTROLS TO BE IMPLEMENTED
IMMEDIATELY TO COMPLY WITH PCI DSSv4.0
PCI v4.0
Controls In Place ?
Requirements
Reference Taken from PCI DSS 4.0 Summary of Changes, published by PCI SSC.
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
For Issuers and companies that support issuing process any storage
of sensitive authentication data is :
No
3.3.3
Limited to business needs.
Encrypted using strong cryptography.
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
All payment page scripts that are loaded and executed in the
consumer’s browser are managed as follows :
A method is implemented to confirm that each script is authorized. No
6.4.3
A method is implemented to assure the integrity of each script.
An inventory of all scripts is maintained with written justification as
to why each is necessary.
All application and system accounts and related access privileges are
assigned and managed as follows:
Based on the least privileges necessary for the operability of the No
7.2.5
system or application.
Access is limited to the systems, applications, or processes that
specifically require their use.
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
Failures of any critical security controls systems are responded to
promptly, including but not limited to :
Restoring security functions.
Identifying and documenting the duration (date and time from start
to end) of the security failure.
Identifying and documenting the cause(s) of failure and
documenting required remediation. No
10.7.3
Identifying and addressing any security issues that arose during
the failure.
Determining whether further actions are required as a result of the
security failure.
Implementing controls to prevent the cause of failure from
reoccurring.
Resuming monitoring of security controls.
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
OR
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
Each PCI DSS requirement that provides flexibility for how frequently
it is performed (for example, requirements to be performed
periodically) is supported by a targeted risk analysis that is
documented and includes :
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
No
12.10.5 Intrusion-detection and intrusion-prevention systems.
Network security controls.
Change-detection mechanisms for critical files.
The change-and tamper-detection mechanism for payment pages.
Detection of unauthorized wireless access points.
www.qrcsolutionz.com
CHECKLIST - CONTROLS AS BEST PRACTICES
UNTIL 31ST MARCH 2025
PCI v4.0
Controls In Place ?
Requirements
www.qrcsolutionz.com
STAY TUNED . . .
Follow
for more
pf@±²c¹ ÇÁpìʼnc
ÞÞÞʼn±²c¹ ÇÁpìʼnc