PCI DSS 4.0 was designed 20 years ago to help reduce the risk of major breaches of card data at financial services firms, retailers and others that store, process and transmit this information. As the emergence of AI tooling and a sophisticated cybercrime supply chain tilt the advantage in threat actors’ favor, the best practice security steps mandated by the standard are more relevant today than ever. Yet compliance can take significant time and effort.
To help organizations understand where to start, we put together this three-part blog series, outlining the six control objectives and 12 requirements of PCI DSS 4.0. In the final part, we highlight Requirements 10-12, and show how comforte can help:
Regularly Monitor and Test Networks
Requirement 10: Log and monitor all access to system components and cardholder data
Perimeter defences are one thing. But increasingly, threat actors are able to infiltrate networks quite easily en route to card data. This is where logging and monitoring come in, alerting security teams to suspicious activity before malicious actors can cause any damage. PCI DSS mandates the presence of system activity logs on all system components and in the cardholder data environment (CDE). It should apply to all relevant employee, contractor, consultant, and internal/external vendor activities, as well as those of other third parties.
Requirement 11: Test security of systems and networks regularly
The number of vulnerabilities (CVEs) discovered and published each year continues to break all records. Last year, it reached nearly 29,000. That’s not to mention those discovered by threat actors that have yet to be shared with vendors. That’s why PCI DSS requires system components, processes and custom software to be tested frequently to ensure security controls remain effective.
Maintain an Information Security Policy
Requirement 12: Support information security with organizational policies and programs
Policy matters. It is the unsung hero of information security which effectively articulates the security culture of the entire organization. It informs employees what they are expected to do and how they are expected to act from a cybersecurity perspective. This final PCI DSS 4.0 requirement mandates that all employees are aware of the sensitivity of payment account data and their responsibilities to protect it. It extends to any relevant full-, part-time and temporary employees, contractors and consultants. That means anyone with responsibility for protecting card data or anyone whose role may impact the security of data.
How comforte can help
No technology can magically enable PCI DSS 4.0 compliance. However, the comforte SecureDPS solution offers organizations a helping hand which could enable them to reduce the time, cost and effort associated with the process. At a high level, it’s an enterprise-grade data protection platform that delivers:
- Continuous data discovery and classification to uncover cardholder data wherever it resides in the organization
- Strong protection of cardholder data in line with PCI DSS requirements, via format-preserving encryption, tokenization and other methods—during transmission over open, public networks
- Restricted access to cardholder data to authorized personnel only
An independent analysis of the SecureDPS solution by Coalfire confirms that it supports PCI DSS 4.0 compliance in the following ways:
Requirement 10:
10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3 Audit logs are protected from destruction and unauthorized modifications.
10.5 Audit log history is retained and available for analysis.
Requirement 12:
12.3 Targeted risks to the cardholder data environment are formally identified, evaluated and managed.
12.5 PCI DSS scope is documented and validated.
Comforte SecureDPS is already helping some of the world’s largest and most demanding financial institutions streamline their PCI DSS 4.0 compliance programs.
