PCI DSS v4.0 Summary Of Changes

Security Testing Above and Beyond

Security testing for PCI DSS 4.0 is getting reconditioned, in that security testing throughout the year will be required to more strict requirements compared to that of PCI DSS 3.2.1. Citing the PCI DSS 3.2.1 standard, there were fewer security controls to monitor systems throughout the year, such as quarterly internal (Requirement 11.2.1) and external vulnerability scans, (Requirement 11.2.2) as well as process examinations for service providers to ensure appropriate procedures were in place and being followed by the system administrators (Requirement 12.11).

New security testing standards will include an evolving requirement for 11.2.1, wherein other applicable vulnerabilities found during an internal scan must be addressed and managed. Internal scanning will also now require credentials for the scanning engine not previously required. Scanning engines with more permissions may produce more results as credentialed scans will have more insight into production systems. New penetration testing requirements for multi-tenant service providers is required for service providers. PCI DSS 4.0 implements a review of cryptographic suites used for transmission of cardholder data (Requirement 12.3.3) not found in the old standard.

Enhanced Multi-Factor Authentication Criteria

Multifactor authentication for administrative access into the cardholder data environment was adopted in v3.2.1 and has been a PCI standard since (Requirement 8.3). However, the implementation of multi-factor authentication for all users is a future-dated requirement in the PCI DSS 4.0 (Requirement 8.4.2). The new standard mandates that all access into the CDE be demarked by multi-factor authentication, causing both users and administrators to perform MFA at their workstations. Note, that as with the old Requirement 8.3, this does not apply for application or system accounts performing automated functions nor for individuals on POS systems who have access to only one credit card number at a time. There is also additional clarification on multi-factor authentication, where if the CDE resides within a corporate network, the demarcation point would be the boundary of the CDE, whereas if the CDE is entirely isolated and remote accessed, MFA would be required upon entering the CDE at that remote connection point.

Additional Firewall and Network Security Guidance

Requirements for firewalls are being updated as well, in that a wider range of network control devices are being considered and denoted. The PCI DSS 3.2.1 references with firewalls and routers have been replaced with a broader range of technologies to the evolving network control device technologies to be implemented. Additional guidance on appropriate inbound and outbound traffic for CDE networks was revised to make requirements easily applicable to different network topographies and ensure change control is appropriately documented and approved.

Storage of Cardholder Data and Encryption

Encryption and storage of cardholder data for PCI DSS 4.0 are more robust, in that many of the requirements have been enhanced or added in an effort to catalog cryptographic systems and processes as well as assign responsibilities for these elements. Sensitive Authentication Data (SAD) will now have storage requirements for pre-authorization (Requirement 3.2.1, 3.2.2) if stored within a CDE, whereas standard 3.2.1 did not address this issue. The new standard also outlines additional guidance on the appropriate deployment of disk or partition-level encryption standards for the protection of stored PAN within the production environment and removable stored media (Requirement 3.5.1.2).

Summary of Changes

There will be many changes to the PCI DSS 3.2.1ng technologies, network topographies, and third-party service provider relations. The new PCI DSS 4.0 standard boasts new requirements to address these areas and evolving requirements which would take the outlined standards one step further toward a more secure infrastructure. For additional information on these changes, review the summary of changes document available on the PCI-DSS council website.